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ABSTRACT 


As  our  reliance  on  the  Internet  grows,  our  interconnected  networks  become  more 
vulnerable  to  cyberattacks.  Cyberattacks  and  other  cyber  threats  can  cause  disastrous 
results,  especially  if  a  coordinated  targeted  attack  hits  multiple  networks  at  the  same  time. 
For  this  reason,  cyber  information-sharing  among  public  and  private  organizations 
becomes  necessary  and  important  to  defend  our  networks.  Many  cyber  threats  are 
difficult  to  detect  and  identify  by  a  single  organization.  Information  sharing  can  help 
detect  these  potential  risks,  prevent  cyberattacks,  and  facilitate  incident  response  to  better 
defend  networks.  Although  the  public  and  private  sectors  have  begun  to  share 
cybersecurity  information,  there  are  still  many  barriers  that  stop  agencies  from  sharing 
more.  This  research  identifies  and  reviews  what  the  barriers  are  to  sharing  cyber 
information  and  possible  ways  that  the  barriers  can  be  overcome. 
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EXECUTIVE  SUMMARY 


Society  is  increasingly  dependent  upon  the  Internet  and  the  systems  delivered  through  it. 
These  systems  help  ensure  that  they  deliver  and  maintain  essential  services  in  the  face  of 
attacks,  failures,  and  accidents.  Our  critieal  infrastrueture  sector  is  reliant  on  networked 
environments  for  its  daily  operation.  It  is  these  systems  that  the  consumer  has  come  to 
rely  on  too  in  order  to  do  their  banking,  purehase  their  goods,  and  extract  money  from 
ATM’s  when  needed.  If  any  of  these  systems  were  to  fail  or  be  hacked  by  cyber 
criminals,  the  trust  that  consumers  have  in  these  systems  will  be  altered  and  it  would  take 
a  long  time  for  the  industry  to  rebuild  that  trust. 

President  Obama  has  declared  that  the  “cyber  threat  is  one  of  the  most  serious 

economic  and  national  security  challenges  we  face  as  a  nation”  and  that  “America’s 

1 

economic  prosperity  in  the  21st  century  will  depend  on  eybersecurity.”  Our  economy 
and  national  security  depend  on  a  secure  cyberspaee.  One  of  the  pillars  of  our  nation’s 
eyberseeurity  strategy  is  to  improve  our  resilience  to  eyber  incidents  and  to  reduee  and 
defend  against  cyber  threats. 

An  important  component  of  securing  our  IT  infrastructure  is  the  sharing  of 
eyberseeurity  information  between  and  among  private  entities.  In  particular,  the  sharing 
of  information  about  eyberseeurity  threats,  sueh  as  incident  or  threat  reports,  indieators, 
threat  signatures,  and  alerts  (eollectively,  “cyber  threat  information”)  among  these 
entities  has  the  potential  to  greatly  improve  the  safety  of  our  systems.  In  his  February 
2013  Executive  Order,  the  President  highlighted  the  important  role  the  government  can 

play  in  sharing  information  with  private  sector  entities,  while  ensuring  that  privacy  and 

2 

civil  liberties  protections  are  in  place. 

Today,  there  are  several  projects  underway  where  cyber  threat  information 
sharing  is  taking  place,  both  informally  and  through  formal  exehange.  Further,  the  sector- 

1  The  White  House  ,  “National  Security  Council  Cybersecurity,”  accessed  August  1,  2013, 
http://www.whitehouse.gov/cybersecurity. 

2  Exec.  Order  No.  13636,  78  C.F.R.  1 1739  (2013). 
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specific  Information  Sharing  Analysis  Centers  (ISACs)  have  been  established  to  advance 
the  physical  and  cybersecurity  of  critical  infrastructures  and  the  recently  published  NIST 
Cybersecurity  Framework  is  helping  to  increase  sharing  capabilities. 

There  are  many  ways  to  share  data.  It  can  be  structured  or  unstructured  data.  It 
can  be  shared  via  automated  methods,  manually,  or  both.  There  are  many  benefits  to 
sharing  cybersecurity  related  information  including  an  increase  in  the  security, 
availability,  integrity,  and  efficiency  of  our  information  systems  which  leads  to  more 
secure  networks. 

Given  the  importance  of  information  sharing,  this  thesis  sets  out  to  examine  the 
barriers  to  cybersecurity  information  sharing  and  how  some  of  these  barriers  may  be 
overcome.  The  information  in  this  thesis  draws  from  the  review  of  available  literature — 
both  academic  and  non-academic  publications.  The  findings  of  this  research  are  a  step 
forward  to  identify  those  barriers  which  are  most  important  and  how  they  may  be 
overcome. 
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I.  INTRODUCTION 


A.  INTRODUCTION 

After  the  attaeks  of  September  11,  2001,  two  eommissions  eoneluded  that 
information-sharing  is  a  eritieal  element  for  preventing  terrorist  attaeks  and  for  proteeting 
the  United  States.  The  National  Commission  on  Terrorist  Attaeks  upon  the  United  States 
(9/11  Commission)  eoneluded  that  information-sharing  had  not  been  a  priority  for  the 
federal  government  before  the  attaeks.  ^  The  Markle  Task  Foree  was  formed  in  2002  to 
identify  best  praetiees  in  making  information  diseoverable  and  aeeessible  and  enabling 
improved  deeision  making  with  regard  to  threats  against  our  nation.  The  Task  Foree 
found  defieieneies  in  information  sharing,  and  pushed  for  eontinued  improvements  in 
information  sharing.  2 

The  need  to  share  data,  including  cybersecurity  information,  among  federal 
agencies  is  imperative.  According  to  Michael  Daniel,  special  assistant  to  the  president 
and  the  cybersecurity  coordinator,  sharing  threat  information  is  critical  to  effective 
cybersecurity. 3  Reducing  barriers  to  information-sharing  is  a  key  element  of  the  Obama 
administration’s  strategy  to  improve  the  nation’s  cybersecurity,  and  the  administration  is 
aggressively  pursuing  these  efforts  through  both  executive  action  and  legislation.  ^ 

Organizations  need  access  to  timely  cyber  threat  information  in  order  to  detect, 
respond  to,  and  protect  against  cyberattacks  and  cyber  threats.  Each  federal  agency  has  its 
own  networks  and  data  repositories  that  make  it  very  difficult  to  piece  together 
information  that  could  collectively  serve  as  a  warning.  As  the  White  House’s  2009 

^National  Commission  on  Terrorist  Attacks  upon  the  United  States,  The  911  Commission  Report: 

Final  Report  of  the  National  Commission  on  Terrorist  Attacks  upon  the  United  States,  (Washington,  DC: 
U.S.  Government  Printing  Office,  2004),  567. 

2  Markle  Foundation  Task  Force,  Nation  at  Risk:  Policy  Makers  Need  Better  Information  to  Protect 
the  Country  (New  York:  Markle  Foundation,  March  2009). 

3  Michael  Daniel  profile.  The  White  House  Blog,  accessed  September  2,  2014, 
http://www.whitehouse.gov/blog/author/Michael%20Daniel. 

^  Michael  Daniel,  “Getting  Serious  about  Information  Sharing  for  Cybersecurity,”  The  White  House 
Blog,  April  10,  2014,  http://www.whitehouse.gov/blog/2014/04/10/getting-serious-about-information- 
sharing-cybersecurity. 


1 


Cyberspace  Policy  Review  explained,  “Information  is  key  to  preventing,  detecting,  and 
responding  to  cyber  incidents.  A  full  understanding  and  effective  response  may  only  be 
possible  by  bringing  information  from  those  various  sources  together  for  the  benefit  of 
all.”5 

The  review  identified  enhanced  information-sharing  as  a  key  component  of 
effective  cybersecurity,  and  the  administration  has  made  considerable  progress  in 
cybersecurity  information  sharing.  For  example,  through  support  from  the  White  House 
Cybersecurity  Office  within  the  National  Security  Council  Staff  (NSCS),  the 
Comprehensive  Cyber  Security  Initiative  (CNCI)  initiative  number  five  (#5)  connects  the 
National  Cyber  Operations  Centers  and  provides  support  for  Enhanced  Shared  Situational 
Awareness  (ESSA).®  The  Department  of  Homeland  Security  (DHS)  is  working  to 
develop  the  Enhanced  Cybersecurity  Services  (ECS)  program  to  share  cyber  information 
with  private  industry  partners.^  But  these  endeavors,  while  facilitating  greater 
cybersecurity  information  sharing,  are  just  the  beginning  of  this  important  initiative,  and 
barriers  still  remain,  limiting  the  ability  of  organizations  to  effectively  and  efficiently 
share.  The  barriers  that  have  been  noted  by  government  and  industry  include  such  things 
as  trust,  legal,  and  technology. 

In  the  cybersecurity  community,  information-sharing  is  the  act  of  exchanging 
cyber  threat  information  between  analysts  to  improve  cyber  network  defenses.^  Trust 
between  analysts  and  organizations  are  critical.  Eaws  need  to  ensure  that  the  privacy  of 
citizens  is  upheld  when  information  is  exchanged,  and  the  technology  must  be  in  place  to 
enable  secure  machine-to-machine  sharing  of  cybersecurity  information. 


^  The  White  House,  Cyberspace  Policy  Review:  Assuring  a  Trusted  and  Resilient  Information  and 
Communications  Infrastructure  (Washington,  DC:  The  White  House,  2009). 

^  “Comprehensive  National  Cybersecurity  Initiative,”  The  White  House,  accessed  September  9,  2014, 
http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative. 

^  U.S.  Department  of  Homeland  Security,  Privacy  Impact  Assessment  for  the  Enhanced  Cybersecurity 
Services  (ECS)  (Washington,  DC:  U.S.  Department  of  Homeland  Security,  2013). 

^  P.  W.  Singer  and  Allan  Friedman,  Cybersecurity  and  Cyberwar  What  Everyone  Needs  to  Know  (New 
York:  Oxford  University  Press,  2014),  222-246. 
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B,  STATEMENT  OF  THE  PROBLEM 

Many  experts  agree  that  the  terrorist  attacks  of  9/11  were  caused,  in  part,  by  the 
inefficiency  in  the  sharing  of  information.  9  According  to  the  National  Strategy  for 
Information  Sharing  and  Safeguarding,  “Our  national  security  depends  on  our  ability  to 
share  the  right  information,  with  the  right  people,  at  the  right  time.”'*^  There  have  been 
many  initiatives  to  enable  the  sharing  of  information,  such  as  the  creation  of  the  National 
Counterterrorism  Center  (NCTC),  but  the  focus  has  been  on  terrorism-  and  law 
enforcement-related  information  and  not  on  cybersecurity.  1 1 

Why  is  it  important  to  share  cybersecurity  information?  In  April  2012,  the  public 
disclosure  of  attempted  attacks  against  natural  gas  pipeline  company  systems 
demonstrated  the  necessity — and  the  urgency — of  better  cyber-security  information 
sharing.  The  coordinated  attacks  began  in  December  2011  but  were  not  recognized  and 
analyzed  by  the  Department  of  Homeland  Security  (DHS)  until  March  2012  because 
information  on  these  incidents  was  not  reported  to  DHS  in  a  timely  manner.  1 3  If 
stakeholders  are  provided  with  timely  data  on  the  most  critical  threats,  they  can  use  this 
information  to  implement  an  effective  solution  that  will  reduce  the  risk  to  their  mission- 
essential  services. 

Furthermore,  according  to  a  Government  Accountability  Office  (GAO)  report 
from  February  2013,  threats  to  systems  supporting  critical  infrastructure  and  federal 


9  Amy  B.  Zegart,  Spying  Blind:  The  CIA,  the  FBI,  and  the  Origins  of  9/11  (Princeton,  NJ:  Princeton 
University  Press,  2009). 

The  White  House  Office,  National  Strategy  for  Information  Sharing  and  Safeguarding 
(Washington,  DC:  The  White  House,  December  2012). 

11  Richard  A.  Best,  Jr.,  The  National  Counterterrorism  Center  (NCTC) — Responsibilities  and 
Potential  Congressional  Concerns  (CRS  Report  No.  R41022)  (Washington,  DC:  Congressional  Research 
Service,  2011). 

13  Mark  Clayton,  “Alert:  Major  Cyber  Attack  Aimed  at  Natural  Gas  Pipeline  Companies,”  Christian 
Science  Monitor,  May  5,  2012,  http://www.csmonitor.eom/USA/2012/0505/Alert-Major-cyber-attack- 
aimed-at-natural-gas-pipeline-companies. 

13  Bipartisan  Policy  Center  Cybersecurity  Task  Force,  Cyber  Security  Task  Force:  Public-Private 
Information  Sharing  (Washington,  DC:  Bipartisan  Policy  Center,  2012),  5-6. 
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operations  are  evolving  and  growing,  Federal  ageneies  report  an  inerease  in  the 
numbers  of  eybersecurity  ineidents  that  have  placed  sensitive  information  at  risk,  with 
potentially  serious  impacts  on  federal  and  military  operations;  critical  infrastructure;  and 
the  confidentiality,  integrity,  and  availability  of  sensitive  government,  private  sector,  and 
personal  information,  The  increasing  risks  are  demonstrated  by  the  dramatic  increase  in 
reports  of  security  incidents,  the  ease  of  obtaining  and  using  hacking  tools,  and  steady 
advances  in  the  sophistication  and  effectiveness  of  attack  technology, 

Information-sharing,  timely  analysis  and  warnings  continue  to  challenge  efforts  to 
detect,  respond  to,  and  mitigate  eybersecurity  incidents,  even  though  improvements  in 
eybersecurity  information  sharing  have  become  a  higher  priority.  There  are  significant 
barriers  that  are  impeding  the  progress  of  a  more  complete  information-sharing  approach. 
Most  experts  agree  that  there  are  vast  benefits  with  sharing  eybersecurity  information  and 
that  the  barriers  must  be  addressed.  In  a  recent  book,  for  example,  P.W.  Singer  and  Allan 
Friedman  of  the  Brookings  Institution  write  that  the  key  benefit  of  information-sharing  is 
that  it  allows  a  more  complete  view  of  emerging  threats  and  patterns,  They  point  out 
that  it  arms  analysts  with  the  lessons  learned  from  other  analysts’  experiences.  Beyond 
empowering  the  decision  makers,  information-sharing  also  benefits  organizations  and 
analysts  by  supporting  the  diffusion  of  experience  and  best  practices  of  each 
organization.^^ 

C.  BACKGROUND 

In  recent  years,  cyber  exploitation  and  malicious  activity  are  becoming 
increasingly  sophisticated,  targeted,  and  serious.  The  2013  Internet  Security  Threat 
Report  by  Symantec  Corporation  identified  a  42%  increase  in  targeted  attacks  from 


Government  Accountability  Office,  Cybersecurity  National  Strategy,  Roles,  and  Responsibilities 
Need  to  Be  Better  Defined  and  More  Effectively  Implemented  (GAO-13-187)  (Washington,  DC: 
Government  Accountability  Office,  February  2013). 

15  Ibid.,  10. 

16  Ibid. 

1^  Singer  and  Friedman,  Cybersecurity  and  Cyberwar,  222-246. 

18  Ibid. 
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2012.19  In  addition,  there  were  over  5,000  new  vulnerabilities  identified  in  2013.20  Of  the 
new  vulnerabilities,  415  were  on  mobile  operating  systems  and  69%  were  email 

vulnerabilities  that  were  delivered  to  inboxes  as  spam.  21  One  in  400  of  the  spam  emails 

22 

were  identified  as  phishing  emails,  and  1  in  300  were  identified  as  viruses. 

Aceording  to  experts  at  the  Center  for  Strategic  and  International  Studies,  the 
greatest  threat  that  DHS  must  defend  against  in  the  coming  years  will  come  not  from  a 
physical  opponent,  but  from  cyberspace. 23  This  threat  will  only  continue  to  grow  as  our 
reliance  on  technology  continues  to  evolve  at  a  rapid  rate  and  state  and  non-state  actors 
increasingly  invest  in  cyber  capabilities.  The  danger  posed  by  cyberattacks  extends  not 
only  to  critical  infrastructure  systems  such  as  the  power  grid  and  water  systems  but  also 
to  the  nation’s  economy.  Equally,  if  not  more,  worrying  than  the  potential  for  a 
catastrophic  “cyber  Pearl  Harbor,”  as  described  by  former  Defense  Secretary  Leon 
Panetta,  is  the  ongoing  theft  of  intellectual  property  from  U.S.  corporations  and 
businesses.  24  As  noted  by  General  Keith  Alexander,  former  commander  of  United  States 
Cyber  Command  and  director  of  the  National  Security  Agency,  intellectual  property  theft 
represent  “the  greatest  transfer  of  wealth  in  history.”  This  theft  not  only  leeches  billions 
of  dollars  from  the  nation’s  economy  each  year,  but  also  grants  potential  adversaries 
access  to  sensitive  information  regarding  U.S.  technologies,  including  those  related  to 
national  security.  According  to  the  Center  for  Strategic  and  International  Studies  (CSIS), 
one  of  DHS’  greatest  challenges  in  the  coming  years  will  be  to  protect  against  these 
attacks  and  intrusions.  In  doing  so,  DHS  must  establish  enhanced  systems  for  improved 
intelligence  and  information-sharing. 25 

19  Symantec  Corporation,  2013  Internet  Security  Threat  Report  (Mountain  View,  CA:  Symantec, 
2013). 

20  Ibid. 

21  Ibid. 

22  Ibid. 

23  Rick  Nelson  and  Rob  Wise,  “Homeland  Security  at  a  Crossroads:  Evolving  DHS  to  Meet  the  Next 
Generation  of  Threats,  ”  Center  for  Strategic  and  International  Studies,  February  1,  2013, 
http://csis.org/publication/homeland-security-crossroads-evolving-dhs-meet-next-generation-threats. 

24  Elisabeth  Bumiller  and  Thom  Shanker,  “Panetta  Warns  of  Dire  Threat  of  Cyberattack  on  U.S.,” 

New  York  Times,  October  11,  2012. 

25  Nelson  and  Wise,  “Homeland  Security  at  a  Crossroads.” 
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The  Federal  Financial  Institutions  Examination  Council  (FFIEC)  recently  warned 
of  the  threat  of  rising  cyber-attacks  within  the  financial  services  critical  infrastructure 
sector.  26  These  attacks  target  bank  websites  and  cash  machines,  prompting  a  rise  in 
denial-of-service  attacks  that  sometimes  are  a  cover  for  criminals  committing  fraud.  The 
council  urged  the  industry  to  put  proper  measures  in  place  to  guard  against  this  type  of 
fraud.  It  described  one  recent  case  in  which  criminals  stole  $40  million  from  just  12 
accounts — far  exceeding  the  actual  balance  held  by  clients — in  a  sophisticated  scheme 
known  as  an  “unlimited  operations”  fraud.  22 

In  addition  to  these  threats,  another  threat  called  the  Advanced  Persistent  Threat 
(APT)  has  been  spreading  across  government  and  defense  contractor  networks.  Mandiant 
Corporation  published  the  Mandiant  APT  report  in  March  2013.  This  report  describes  the 
nature  of  the  APT  threat  and  where  it  is  originating.^^  The  report  analyzes  hundreds  of 
investigations  that  signal  that  the  groups  conducting  these  security  breaches  around  the 
world  are  based  primarily  in  China. 

Cyber  threat  information  from  these  types  of  threats  is  what  stakeholders  need  in 
order  to  implement  effective  solutions  that  will  reduce  the  risk  to  mission-essential 
services  and  data.  Organizations  currently  employ  their  own  defensive  measures  to 
protect  their  network  infrastructures.  With  the  emergence  of  a  wide  variety  of 
sophisticated  cyber  threats,  this  has  made  these  disconnected  efforts  a  liability.  To 
prevent  the  sophisticated  adversary,  the  baseline  security  posture  of  the  entire 
organization  should  be  unified  through  the  improved  information-sharing  of  relevant  and 
actionable  cyber  threat  information.  In  order  to  do  this,  experts  agree  that  organizations 
need  to  reach  out  and  partner  with  both  private  industry  and  federal  organizations  and 


26  Federal  Finaneial  Institutions  Examination  Council  (FFIEC),  Cyber-Attacks  on  Financial 
Institutions’  ATM  and  Card  Authorization  Systems  (Washington,  DC.'  Federal  Financial  Institutions 
Examination  Council,  April  2,  2014). 

22  “Financial  Regulators  Release  Statements  on  Cyber-Attacks  on  Automated  Teller  Machine  and 
Card  Authorization  Systems  and  Distributed  Denial  of  Service  Attacks,”  FFIEC  (Federal  Financial 
Institutions  Examination  Council),  April  2,  2014,  http://www.ffiec.gov/press/pr040214.htm. 

28  Mandiant,  APTl  Exposing  One  of  China ’s  Cyber  Espionage  Units  (Alexandria,  VA:  Mandiant, 
2013). 
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share  threat  information,  enhance  their  cyber  situational  awareness,  and  protect  their 
networks.  29 

1.  The  Cyber  Threat 

Network  risks  stem  from  cybercrime,  threats  from  inside  the  organization,  threats 
to  critical  infrastructure,  and  threats  from  nation  state  actors  that  steal  information  for 
economic  gain.  Cybercrime  and  cyberattacks  are  genuine  threats.  Reports  of  data 
breaches,  hacks,  or  thefts  have  become  daily  news.  Therefore,  the  data  about  the 
adversaries  and  threats  are  the  critical  and  must  be  shared. 

In  recent  years,  cyber  exploitation  and  malicious  activity  in  the  United  States  are 
becoming  increasingly  sophisticated,  targeted,  and  serious. 32  The  2014  U.S.  State  of 
Cybercrime  Survey  found  that  American  businesses  and  institutions  are  failing  to  meet 
the  cybersecurity  threats  posed  by  hackers  at  home  and  abroad.  33  According  to  the  report, 
it  is  clear  that  the  cybersecurity  programs  of  U.S.  organizations  do  not  rival  the 
persistence,  tactical  skills,  and  technological  prowess  of  their  potential  cyber  adversaries. 

Today,  common  criminals,  organized  crime  rings,  and  nation-states  leverage 
sophisticated  techniques  to  launch  attacks  that  are  highly  targeted  and  difficult  to  detect. 
In  fact,  the  U.S.  Director  of  National  Intelligence  has  ranked  cybercrime  as  the  top 
national  security  threat,  higher  than  that  of  terrorism,  espionage,  and  weapons  of  mass 
destruction.  34  The  report  also  found  that  in  a  volatile  cybercrime  environment,  attackers 
continually  and  rapidly  update  their  tactics  to  maintain  an  advantage  over  any  security 

29  Singer  and  Friedman,  Cybersecurity  and  Cyberwar,  222-246. 

3*^  Cyber  Attacks:  An  Unprecedented  Threat  to  U.S.  National  Security  House  of  Representative: 
Hearing  before  Subcommittee  on  Europe,  Eurasia,  and  Emerging  Threats  of  the  Committee  on  Foreign 
Affairs,  113th  Cong.,  2,  1,  (2013). 

31  Steven  Titch,  “U.S.  Cybersecurity  Policy:  Problems  and  Principles,”  The  Heartland  Institute, 

August  1,  2013,  http://heartland.org/policy-documents/us-cybersecurity-policy-problems-and-principles. 

32  Kevin  Mickelberg,  Neal  Pollard  and  Laurie  Schive,  2014  U.S.  State  of  Cybercrime,  London: 
PricewaterhouseCoopers,  June  2014.  http://www.pwc.com/en_US/us/increasing-it- 
effectiveness/publications/assets/20 14-us-state-of-cybercrime.pdf. 

33  Mickelberg,  Pollard  and  Schive,  2014  U.S.  State  of  Cybercrime. 

34  Current  and  Future  Worldwide  Threats  to  the  National  Security  of  the  United  States,  Remarks 
Delivered  to  the  Senate  Armed  Services  Committee  (2014)  (statement  of  James  R.  Clapper,  director  of 
National  Intelligence). 
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safeguard  such  as  anti-virus  protection.  Recently,  for  instance,  hackers  engineered  a  new 
round  of  distributed  denial  of  service  (DDoS)  attacks  that  can  generate  traffic  rated  at  a 
staggering  400  gigabits  per  second,  the  most  powerful  DDoS  assaults  to  date.^^ 

One  of  the  most  recent  and  high  profile  attacks  was  the  November  2013  Point  of 
Sale  (POS)  attack  on  Target  Corporation.  A  cyberattack  compromised  up  to  40  million 
payment  cards  during  the  first  three  weeks  of  the  holiday  shopping  season.  36  The 
malware  was  used  in  conjunction  with  a  variety  of  other  tools,  and  the  criminals 
displayed  a  high  degree  of  skill  in  orchestrating  the  various  components  of  the 

breaches. 37 

Financially  motivated  cyber  criminals  have  used  POS  malware  at  an  accelerating 
pace  for  several  years.  POS  malware  that  includes  memory-scraping  capabilities  has  been 

-5  0 

available  for  some  time.  The  malicious  software  that  enabled  hackers  to  steal 
information  from  credit  and  debit  cards  from  November  27  to  December  15  was  later 
found  on  25  additional  checkout  machines  and  continued  to  collect  shoppers’  information 
for  three  more  days.  39  On  December  27,  Target  also  acknowledged,  contrary  to  early 
reports,  that  personal  identification  numbers  to  debit  and  credit  cards  were  also  exposed. 
During  the  process  of  this  attack.  Target  remained  operational  both  through  its  brick-and- 
mortar  stores  as  well  as  its  website. 

The  Target  case  is  indicative  of  growing  threat  of  cyberattacks.  It  is  important  to 
understand  the  vulnerabilities  locally  and  globally,  and  how  other  governments  respond 
to  these  kinds  of  attacks. 


35  Mickelberg,  Pollard  and  Schive,  2014  U.S.  State  of  Cybercrime,  21. 

36  Department  of  Homeland  Security  (DHS),  National  Cybersecurity  and  Communications  Integration 
Center  (NCCIC),  United  States  Secret  Service  (USSS),  Financial  Sector  Information  Sharing  and  Analysis 
Center  (FS-ISAC),  and  iSIGHT  Partners.  POS  Malware  Technical  Analysis:  Indicators  for  Network 
Defenders  (Washington,  DC:  Department  of  Homeland  Security,  January  16,  2014.) 

37  DHS,  NCCIC,  USSS,  FSTSAC  and  iSight,  POS  Malware  Technical  Analysis. 

38  Ibid. 

39  Michael  Riley  et  ah,  “Target  Missed  Warnings  in  Epic  Hack  of  Credit  Card  Data,”  Business  Week, 
March  13,  2014,  http://www.businessweek.eom/articles/2014-03-13/target-missed-alarms-in-epic-hack-of- 
credit-card-data. 
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To  defend  against  threats,  cyberseeurity  analysts  and  leaders  must  assess  the  risks 
they  face.  Herbert  Lin,  the  chief  scientist  for  Computer  Science  at  the  National 
Academies  and  one  of  the  leading  experts  in  the  field  of  cyberseeurity,  explains  that  the 
threat  is  evaluated  on  three  basic  factors:  “The  feasibility  of  adversaries  being  able  to 
identify  and  exploit  your  vulnerabilities,  the  effect  that  would  happen  if  they  were  able  to 
take  advantage  of  these  vulnerabilities,  and  finally,  the  likelihood  that  they  will,  in  fact, 
be  willing  to  do  so.”"^*^ 

There  is  general  consensus  among  practitioners  that  systems  and  networks  are 
inherently  vulnerable,  and  they  offer  a  wide  array  of  opportunities  for  criminal  or  cyber 
terrorist  organizations  to  exploit  these  intrinsic  weaknesses. Cyberseeurity  analysts 
have  long  tried  to  get  ahead  of  the  adversaries,  principally  by  analyzing  the  cyber  threat 
information  that  is  provided  to  them  through  such  means  as  cyber  threat  websites  and 
trusted  partners  through  the  sharing  of  information. 

42 

Singer  and  Friedman  insist  that  the  approach  to  sharing  must  be  about  the  data. 
They  assert  that  many  things  can  happen,  but  someone  must  cause  them.  Threats  should 
be  assessed  by  understanding  potential  bad  actors,  what  they  are  trying  to  do,  and  why. 
They  suggest  that  when  sharing,  information  stakeholders  ask  questions  such  as  what 
type  of  indicators  are  we  sharing  from  the  cyber  information,  where  did  it  originate  from, 
and  when  did  it  occur?  These  types  of  questions  could  provide  answers  to  more 
actionable  information  that  can  be  shared. 

Cyberseeurity  experts  refer  to  this  data  as  “cyber  threat  intelligence. ”^3  This  is  a 
key  part  of  an  organization’s  defense  against  cyber  adversaries.  Examples  of  cyber  threat 
intelligence  include  understanding  and  characterizing  such  information  as  what  sort  of 
attack  actions  have  occurred  or  are  likely  to  occur;  how  can  these  actions  be  detected  and 

“^^Seymour  E.  Goodman  and  Herbert  S.  Lin,  eds.,  toward  a  Safer  and  More  Secure  Cyberspace 
(Washington,  DC:  The  National  Academies  Press,  2007). 

Sylvester  Ngoma,  “Vulnerability  of  IT  Infrastructures:  Internal  and  External  Threats,”  Congo 
Vision,  accessed  September  13,  2014,  www.congovision.com/IT-Security-Pub. pdf,  congovision.com. 

Singer  and  Friedman,  Cyberseeurity  and  Cyberwar,  222-246. 

■^3  Mitre,  “Structured  Threat  Information  expression — STIX.  A  Structured  Language  for  Cyber  Threat 
Intelligence  Information,”  accessed  December  2,  2013,  http://measurablesecurity.mitre.org/docs/stix-intro- 
handout.pdf . 
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recognized;  how  can  they  be  mitigated;  who  are  the  relevant  threat  actors;  what  are  they 
trying  to  achieve;  what  are  their  capabilities,  in  the  form  of  tactics,  techniques,  and 
procedures  they  have  leveraged  over  time  and  are  likely  to  leverage  in  the  future;  what 
sort  of  vulnerabilities,  misconfigurations,  or  weaknesses  they  are  likely  to  target;  what 
actions  have  they  taken  in  the  past;  etc/"^ 

2.  National  Sharing  Initiatives 

The  Obama  administration  has  launched  several  initiatives,  including  the 
Comprehensive  National  Cybersecurity  Initiative  Priority  Number-5  (CNCI-5)  for 
enhanced  situational  awareness  of  the  federal  cyber  centers.  Executive  Order  (EO)  13636 
for  Improving  Critical  Infrastructure  Cybersecurity,  and  Presidential  Policy  Directive 
(PPD-21),  which  is  a  companion  to  the  EO."^^  CNCI-5  was  created  to  connect  current 
cyber  operations  centers  to  enhance  situational  awareness.  Out  of  this  effort  came  the 
Enhance  Shared  Situational  Awareness  (ESSA)  initiative  that  will  provide  the  real-time 
cybersecurity  situational  awareness  to  improve  the  security  of  the  U.S.  government  and 
U.S.  critical  infrastructure.  Through  this  initiative  the  federal  cybersecurity  centers 
agreed  to  an  information  sharing  framework,  and  shared  situational  awareness  (SSA) 
requirements  to  facilitate  development  and  implementation  of  the  ESSA  Information 
Sharing  Architecture  (IS A). 46 

According  to  a  report  by  the  GAO  in  2010,  the  CNCI-5  could  do  a  better  job 
addressing  international  efforts  by  improving  cooperation  between  cybersecurity  and  law 
enforcement  professionals  in  different  nations,  developing  security  standards,  and 
pursuing  international  agreements  on  engagement  and  information  sharing. As  of  today, 

44  Ibid. 

45  “Fact  Sheet:  Executive  Order  (EO)  13636  Improving  Critical  Infrastructure  Cybersecurity  and 
Presidential  Policy  Directive  (PPD)-21  Critical  Infrastructure  Security  and  Resilience,”  Department  of 
Homeland  Security,  March  2013,  http://www.dhs.gov/publication/fact-sheet-eo-13636-improving-critical- 
inffastructure-cybersecurity-and-ppd-2 1  -critical. 

46  Office  of  the  Director  of  National  Intelligence,  Information  Sharing  Environment  2014  Annual 
Report  to  the  Congress  (Washington,  DC:  Office  of  the  Director  of  National  Intelligence,  2014) 
http://www.ise.gov/annual-report/section4.html. 

4^  Government  Accountability  Office,  Cybersecurity:  Progress  made  but  Challenges  Remain  in 
Defining  and  Coordinating  the  Comprehensive  National  Initiative  (GAO  10-338)  (Washington,  DC: 
Government  Accountability  Office,  2010). 
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the  initiative  is  making  great  strides  in  the  areas  of  developing  standards,  but  the  foeus  is 
still  on  conneeting  federal  cyber  centers  and  not  on  national  or  international  cyber 
operations  centers. 

There  are  other  initiatives  that  are  working  to  provide  information  to  only  Internet 
service  providers  (ISPs)  and  Defense  Industry  Board  (DIB)  partners. ^9  Although  these 
systems  are  working  to  solve  part  of  the  problem,  there  is  still  a  gap  in  sharing  this 
information  to  organizations  that  do  not  have  the  proper  clearance  level,  such  as  the 
private  sector  community  as  well  as  the  general  public.  One  such  system  is  the  Enhanced 
Cybersecurity  Services  (ECS)  initiative  that  is  supposed  to  expand  the  number  of 
companies  that  receive  classified  or  top  secret  information  from  the  government  about 
real  or  potential  threats.  ^9  problem  with  this  initiative  is  that  to  date,  few  companies 
have  decided  to  make  the  investment.  ECS  is  a  voluntary  program  and  the  government 
does  fund  it.  Businesses  must  decide  if  it  makes  sense  to  invest  in  a  secure  facility  and  in 
network  upgrades  to  handle  classified  data.^' 

In  addition  to  the  CNCI-5  efforts,  the  EO  expands  information-sharing  and 
collaboration  between  the  government  and  the  private  sector,  and  establishes  a  process 
for  identifying  critical  infrastructure  (Cl)  with  high  priority  for  protection.  ^2  jt  requires 
National  Institutes  of  Standards  and  Technology  (NIST)  to  lead  in  the  development  of  a 
framework  of  cybersecurity  standards  and  best  practices  for  protecting  Cl  and  requires 
regulatory  agencies  to  establish  requirements  to  address  the  risks.  The  companion  PPD- 


“Meeting  Minutes,”  Information  Security  and  Privacy  Advisory  Board,  accessed  September  2, 
2014,  http://csrc  nist.gov/groups/SMA/ispab/documents/minutes/2013- 
1 2/ispab_meeting_minutes_december20 1 3  .pdf 

Milton  Mueller  and  Andreas  Kuehn,  “Einstein  on  the  Breach:  Surveillance  Technology, 
Cybersecurity  and  Organizational  Change,”  paper  Presented  the  12th  Workshop  on  the  Economics  of 
Information  Security  (WEIS  2013),Georgetown  University,  Washington,  DC,  June  11-12,  2013. 

Department  of  Homeland  Security  (DHS),  Privacy  Impact  Assessment  for  the  Enhanced 
Cybersecurity  Services,  Washington,  DC:  DHS,  January  16,  2013. 

Jason  Miller,  “DHS  Finds  Classified  Cyber  Sharing  Program  Slow  to  Take  Off,”  accessed  October 
5,  2013,  http://www.federalnewsradio.com/index.php?nid=851&sid=3356694. 

52  “Presidential  Policy  Directive — Critical  Infrastructure  Security  and  Resilience,”  The  White  House, 
February  21,  2013,  http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive- 
critical-infrastructure-security-and-resil. 
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21  revises  other  aspects  of  policy  relating  to  Cl  security  with  the  aim  of  improving 

53 

integration  and  efficiency,  among  other  goals. 

According  to  the  National  Infrastructure  Advisory  Council,  having  national  unity 
of  effort  to  strengthen  and  maintain  a  secure,  functioning,  and  resilient  infrastructure 
requires  broad  participation,  collaboration,  and  trust.  The  council  intends  to  measure  the 
effectiveness  of  the  EO  and  PPD  work  by  utilizing  metrics  that  were  developed  by  the 
Homeland  Security  Studies  and  Analysis  Institute.  Future  research  can  include  the 
review  of  these  metrics  as  these  initiatives  are  put  into  operation. 

According  to  the  White  House,  there  are  many  companies  who  are  already 
sharing  information  on  cyber  threats  with  each  other  and  with  the  government  through 
programs  that  preserve  the  privacy  of  Americans,  maintain  appropriate  constraints  on 
government  access  to  private  information,  and  do  not  lead  to  anti-competitive  practices. 
For  example,  during  the  denial-of-service  attacks  that  targeted  the  websites  of  many 
leading  U.S.  banks  over  the  last  few  years,  the  Financial  Services  Information  Sharing 
and  Analysis  Center  coordinated  with  banks  to  exchange  information  to  manage  the 
attacks. Also,  Boston’s  Advanced  Cybersecurity  Center,  the  Bay  Area  Security 
Council,  and  ChicagoFirst  have  built  smaller  trust  networks.  The  White  House  continues 
to  work  with  partners  in  industry  to  encourage  information  sharing  partnerships  and  to 
take  to  further  reduce  barriers  to  information  sharing.  ^8 


53  “Presidential  Policy  Directive — Critical  Infrastructure  Security  and  Resilience.” 

54  “Executive  Order  and  PPD-21  Working  Group  Recommendations  for  Maximum  Engagement 
Including  the  Cybersecurity  Framework,  in  Reducing  Cyber  Risks  to  Critical  Infrastructure,”  National 
Infrastructure  Advisory  Council,  September  4,  2013, 

http://www.dhs.gov/sites/default/files/publications/WG%20Adoption%20Recomendations.pdf 

55  Matthew  H.  Fleming  and  Eric  Goldstein,  Metrics  for  Measuring  the  Efficacy  of  Critical- 
Infrastructure-Centric  Cybersecurity  Information  Sharing  Efforts  (Washington,  DC:  Homeland  Security 
Studies  and  Analysis  Institute,  2012). 

56  Michael  Daniel,  “Getting  Serious  about  Information  Sharing  for  Cybersecurity.” 

5"^  Data  Security:  Examining  Efforts  to  Protect  Americans’  Financial  Information  Hearing  Before  the 
House  Committee  on  Financial  Services,  Subcommittee  on  Financial  Institutions  and  Consumer  Credit, 

1 13th  Cong.,  2nd  Sess  (2014)  (statement  of  William  Noonan,  USSS  Criminal  Investigative  Division 
Deputy  Special  Agent  in  Charge),  https://www.dhs.gov/news/2014/03/05/written-testimony-usss-house- 
financial-services-subcommittee-financial-institutions. 

5^  Ibid. 
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D,  PURPOSE  OF  THE  STUDY 

This  thesis  argues  that  overeoming  the  barriers  to  eyber  threat  information-sharing 
will  help  proteet  Ameriean  networks  from  eyberattaeks.  It  addresses  barriers  tied  to  trust, 
teehnology  and  law,  identifies  reeent  teehnologieal  advanees,  and  examines  ways  to 
overeome  the  barriers.  Furthermore,  this  thesis  reviews  the  federal  eyberseeurity 
information-sharing  initiatives  and  how  they  may  or  may  not  be  making  progress,  as  well 
as  the  effieaey  of  emerging  standards  and  technology  for  eyberseeurity  information¬ 
sharing. 

E,  RESEARCH  QUESTIONS 

This  research  explores  the  questions,  what  are  the  primary  barriers  to  cyber 
information  sharing  between  government  and  private  sector  organizations?  And,  how 
can  these  barriers  be  overcome?  The  intent  of  this  research  is  to  help  inform  policy 
makers  about  the  problems  that  prevent  better  sharing  of  eyberseeurity  information  and 
make  our  cyber  information  more  secure. 

To  examine  these  questions,  this  thesis  uses  a  qualitative  method  of  analysis  tool 
known  as  NVivo  and  observational  evaluation  to  identify  the  strengths  and  weaknesses  of 
eyberseeurity  information-sharing  with  an  emphasis  on  those  already  identified  by 
government  and  industry. 

Literature  sources,  such  as  government  documents,  books,  and  websites,  were 
used  to  perform  this  study.  The  literature  sources  were  imported  into  a  software  product 
called  NVivo  version  10  and  thematically  coded  and  analyzed  to  find  emerging  themes. 
NVivo  is  a  Computer  Assisted  Qualitative  Data  Analysis  Software  (CAQDAS)  tool  that 
was  developed  by  QSR  International.  59  CAQDAS  tools  are  used  to  assist  in  identifying 
patterns  and  relationships  and  to  interpret  the  data.  This  analysis  provides  further  review 
and  evidence  of  the  question  on  what  the  barriers  are  to  eyberseeurity  information¬ 
sharing.  The  process  of  the  research  plan  for  using  the  software  for  the  analysis  is 
described  in  Figure  1 .  Handling  qualitative  data  tends  to  be  an  iterative  process  whereby 

59  “Using  NVivo  for  Qualitative  Research,”  QSR  International,  accessed  June  30,  2014,  http://help- 
nvlO.qsrintemational.com/desktop/concepts/using_nvivo_for_qualitative_research  htm. 
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the  process  of  the  research  contains  the  steps  for  exploring,  coding,  reflecting,  and  taking 
memos.  The  process  is  repeated  by  coding  more,  querying  the  data,  and  so  on.  This  will 
be  further  described  in  Chapter  III. 
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Figure  1 .  Research  plan^^ 


In  her  book.  How  to  Write  a  Master’s  Thesis,  Bui  describes  how  tools  such  as 
NVivo,  HyperRESEARCH,  and  HyperTRANSCRIBE  are  often  used  to  help  code  and 
analyze  qualitative  data.^i  CAQDAS  tools  such  as  NVivo  have  been  used  in  previous 
research  at  Naval  Postgraduate  School.  For  example,  Leslie  Sekerka,  Roxanne  Zolin,  and 
Cary  Simon  used  NVivo  software  to  assist  with  theme  development  and  facilitate  coding 


60  Ibid. 

61  Yvonne  N.  Bui,  How  to  Write  a  Master’s  Thesis  (Thousand  Oaks,  CA:  SAGE,  2013). 
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in  their  2005  thesis,  “Rapid  Transformation  in  a  Dual  Identity  Defense  University.”^^ 
2013,  Tiffany  Smythe  used  NVivo  to  develop  a  report  on  a  study  of  the  response  to 
Hurrieane  Sandy.  The  software  and  the  eoding  helped  her  identify  text  relevant  to  the 
researeh  question  of  what  plans  were  in  plaee  prior  to  the  hurrieane  and  to  identify 
lessons  learned. 

In  addition,  there  have  been  researeh  projeets  in  other  universities  that  utilized  the 
NVivo  software  to  help  with  researeh.  For  example,  Caroline  Bartle  of  the  University  of 
West  England  utilized  NVivo  to  develop  her  doetoral  thesis  on  “Spreading  the  Word:  A 
Soeial-Psychologieal  Exploration  of  Word-of-Mouth  Traveler  Information  in  the  Digital 
Age.”  Bartle  used  a  thematic  analysis  of  website  contributions,  questionnaire  responses 
and  interviews,  and  applied  the  NVivo  software  to  code  from  these  sources. 

Another  example  of  the  use  of  the  software  was  from  Xiao  Eu  of  Durham 
University.  Eu  used  the  software  in  his  thesis.  The  Influences  of  Budgetary  System  in  a 
Selection  of  Earge  Chinese  Companies  in  the  Industry  of  Electronic  Household 
Appliances,”  to  study  companies’  everyday  business  activities.  The  author  reviewed 
budgetary  systems,  the  relationships  that  can  be  discovered  between  employees’  concepts 
and  behaviors  concerning  them,  and  the  reasons  behind  these.  By  answering  these 
questions,  Eu  found  that  when  you  look  into  Chinese  companies’  budgetary  practices,  the 
understanding  provided  by  Western  budgetary  studies  were  relevant.  To  perform  the 
research,  Eu  used  NVivo  to  code  the  data,  group  the  data  until  clues,  threads, 
relationships,  reasons,  and  answers  became  evident. 


Leslie  E.  Sekerka,  Roxanne  Zolin  and  Cary  Simon,  Rapid  Transformation  in  a  Dual  Identity 
Defense  University  (Monterey,  CA:  Naval  Postgraduate  School,  2005). 

Tiffany  C.  Smythe,  Assessing  the  Impacts  of  Hurricane  Sandy  on  the  Port  of  New  York  and  New 
Jersey ’s  Maritime  Responders  and  Response  Infrastructure  (Boulder,  CO:  Natural  Hazards  Center,  2013). 

Caroline  Bartle,  “Spreading  the  Word:  A  Social-Psychological  Exploration  of  Word-of-Mouth 
Traveler  Information  in  the  Digital  Age,”  master’s  thesis.  University  of  the  West  of  England,  2011, 
http://www2.uwe.ac.uk/faculties/FET/Research/cts/projects/reports/bartle_2011_thesis.pdf 

Xiao  Fu,  “The  Influences  of  Budgetary  System  in  a  Selection  of  Large  Chinese  Companies  in  the 
Industry  of  Electronic  Household  Appliances”  (master’s  thesis,  Durham  University,  2012) 
http://etheses.dur.ac.uk/3644/l/Xiao_Fu_Upload_Thesis.pdf?DDD24-. 
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The  rest  of  the  thesis  will  proeeed  as  follows.  Chapter  II  is  the  literature  review 
and  provides  an  overview  of  the  problem  and  the  barriers  to  cyber  information-sharing. 
Chapter  III  explains  how  the  analysis  was  performed.  In  this  case,  the  software  tool  called 
NVivo  was  used  to  do  a  qualitative  analysis  of  the  literature  sources.  Chapter  IV,  the 
results,  covers  what  was  found  as  the  results  of  the  question  in  the  research.  Finally, 
Chapter  V  provides  a  discussion  of  the  results  and  recommendations. 

F.  LIMITATIONS 

As  previously  discussed,  this  study  encompasses  the  barriers  to  cybersecurity 
information  sharing  to  include  policies,  legal  issues,  trust  as  well  as  other  shortcomings  in 
areas  such  as  technology.  The  quality  of  the  findings  of  this  study  is  limited  to  an 
evaluation  of  qualitative  information  obtained  from  literature  sources.  There  was  no 
formal  survey  or  interviews  from  direct  sources  for  this  study. 
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II.  LITERATURE  REVIEW 


A.  INTRODUCTION 

This  literature  review  addresses  researeh  related  to  the  barriers  of  eyber 
information-sharing  between  government  and  private  sector  organizations.  Although 
there  are  some  projects  identified  that  are  in  the  process  of  developing  systems  to 
improve  cyber  threat  information-sharing,  there  are  still  considerable  factors  that  are 
making  it  hard  to  share  more.  The  review  of  these  factors  will  provide  insight  in  order  to 
overcome  these  barriers  for  a  more  successful  approach. 

B,  ANALYSIS 

Experts  note  that  the  private  sector  has  difficulty  in  sharing  its  cyber  threat 
indicators  and  incidents  with  the  government.  This  is  especially  true  when  a  cyber 
incident  would  threaten  the  livelihood  of  that  corporation.  For  instance,  if  an  incident 
reveals  that  the  company’s  customers  are  vulnerable  due  to  the  incident,  the  sharing  of 
the  information  could  hold  the  company  liable  therefore,  the  company  is  reluctant  to 
share  it.^^  Problems  like  this  are  just  one  example  of  the  barriers  to  sharing  cyber 
information.  These  problems  date  back  to  the  beginning  of  networked  systems  and  when 
cybersecurity  breaches  began. 

More  than  ten  years  ago,  an  expert  from  Symantec  Corporation  identified  three 
specific  impediments  that  hinder  cybersecurity  information-sharing  in  the  United  States: 
lack  of  trust,  concerns  over  the  protection  of  shared  information,  and  failure  by  the 
government  to  share  their  threat  information  in  return.  Just  last  November,  Phyllis 
Schneck,  deputy  under  secretary  for  cybersecurity  for  the  National  Protection  and 


David  Sutton,  “The  Issue  of  Trust  and  Information  Sharing  and  the  Question  of  Public  Private 
Partnerships,”  in  Critical  Information  Infrastructure  Protection  and  Resilience  in  the  ICT  Sector  (Hershey, 
PA:  IGI  Global,  2013),  258-276. 

^^Sutton,  “The  Issue  of  Trust  and  Information  Sharing,  258-276. 

68  Ibid. 

69  Adam  Rak,  “Information  Sharing  in  the  Cyber  Age:  A  Key  to  Critical  Infrastructure  Protection,” 
Information  Security  Technical  Report  7,  no.  2  (June  2002). 
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Programs  Directorate  of  the  U.S.  Department  of  Homeland  Security,  spoke  about  some  of 
same  impediments  that  are  still  identified  as  problems  to  cyber  information-sharing, 
For  this  reason,  it  is  important  to  find  out  why  the  impediments  endure  and  what  can  be 
done  to  fix  them. 

There  have  been  many  studies  done  on  collaborative  sharing  of  information  and 
trust.  For  example,  in  a  study  done  by  the  European  Network  and  Information  Security 
Agency  (ENISA),  it  was  noted  that  formal  means  for  sharing  information  should  be  set 
up  in  order  to  improve  the  protection  and  rapid  restoration  of  infrastructure  critical  to  the 
reliability  of  communications  within  and  throughout  Europe.  In  a  different  study  by 
Mitre  Corporation,  it  was  determined  that  information  and  communication  technologies 
(ICT)  are  increasingly  intertwined  across  the  economies  and  societies  of  developed 
countries.  ^2  Protecting  these  technologies  from  cyber  threats  requires  collaborative 
relationships  for  exchanging  cyber  defense  information  and  an  ability  to  establish  trusted 

relationships.  ^3 

Scholars  identify  cyber  information  as  an  asset  of  knowledge.  The  development  of 
these  knowledge  assets  and  protection  of  them  are  both  complementary  and  competing 
concerns  for  an  organization.  Each  has  specific  issues  related  to  trust  that  need  to  be 
understood  and  addressed  before  an  organization  is  willing  to  share  them.^"^ 

In  the  book  Collaborative  Computer  Security  and  Trust  Management,  the  authors 
suggest  an  attitude  among  scholars  whereby  knowledge  assets  should  be  collected  and 
then  shared  among  practitioners,  fully  leveraging  their  impact.  There  is  an  implicit 
assumption  that  all  network  partners  are  trustworthy,  both  individuals  and  organizations, 

Brandan  Blevins,  “Experts  Propose  Better  Cybersecurity  Information- Sharing  Models,”  Search 
Security,  November  14,  2013,  http://searchsecurity.techtarget.eom/news/2240209036/Experts-propose- 
better-cybersecurity-information-sharing-models. 

Neil  Robinson  and  Emma  Disley,  Incentives  and  Challenges  for  Information  Sharing  (Heraklion, 
Greece:  European  Network  and  Information  Security  Agency,  2010). 

D.  Fernandez  Vazquez  et  ah,  “Conceptual  Framework  for  Cyber  Defense  Information  Sharing 
within  Trust  Relationships”  presented  at  the  2012  4th  International  Conference  on  Cyber  Conflict,  Tallinn, 
Estonia,  June  5-8,  2012. 

■73  Ibid. 

^^Jean-Marc  Seigneur  and  Adam  Slagell,  eds..  Collaborative  Computer  Security  and  Trust 
Management  (Hershey,  PA:  Information  Science  Reference,  2009),  1-11. 
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and  that  fuller  distribution  of  knowledge  is  always  better.  The  book  indicates  that  this  is 
not  always  the  case  and  further  exploration  of  this  subject  area  will  identify  why. 

According  to  experts  at  the  School  of  Information  Sciences  and  Technology  at  the 
Pennsylvania  State  University,  the  primary  reason  for  the  hesitation  to  share  sensitive 
information  among  agencies  is  a  lack  of  trust.  They  discuss  conflict  of  interests  and  turf 
battles  between  agencies,  and  assert  that  the  problem  can  cause  substantial  deficiencies. 
They  conclude  that  existing  secure  information  sharing  technologies  and  protocols  cannot 
provide  enough  incentives  for  government  agencies  to  share  information  with  one 
another  without  jeopardizing  their  own  interests. 

When  multiple  stakeholders  are  involved  in  collaboration,  it  is  typical  for  their 
priorities  to  differ,  or  even  conflict,  with  one  another.  In  today’s  increasingly  networked 
world,  cybersecurity  collaborations  may  span  organizations  and  countries.  There  are 
items  identified  that  may  lead  to  more  trusting  cybersecurity  information-sharing  and 
collaboration.  For  example,  the  European  Network  and  Information  Security  Agency 
(ENISA)  published  a  paper  on  cyber  information-sharing  and  found  that  the  most  popular 
structure  to  facilitate  this  sharing  is  a  trusted’  forum  or  platform  where  private  sector 
infrastructure  owners  or  operators  can  meet  face-to-face  at  regular  intervals  and  hold 
informal,  un-attributable  discussions. 

Researchers  from  MITRE  Corporation  and  ISDEEE,  a  defense  and  security  firm 
from  Spain,  published  a  report  for  the  2012  4th  International  Conference  on  Cyber 
Conflict  (CYCON).  They  used  the  ENISA  processes  and  documents  to  identify  four 
aspects  of  cyber  defense  collaboration  and  improvements  to  cyber  information-sharing. 
According  to  the  report,  there  is  a  long  history  across  the  cyber  defense  community  of 
establishing  information-sharing  repositories,  creating  data  exchange  standards,  and 


Ibid. 

76  Peng  Liu  and  Amit  Chetal,  “Trust-Based  Secure  Information  Sharing  between  Federal  Government 
Agencies,”  Journal  of  the  Association  for  Information  Science  and  Technology,  no.  56  (2005):  283-298. 

77Liu  and  Chetal,  “Trust-Based  Secure  Information  Sharing,”  283-298. 

78  Seigneur  and  Slagell,  Collaborative  Computer  Security,  1-11. 

79  Ibid. 
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finding  that  the  repositories  were  underutilized,  They  found  that  in  relation  to  the  field 
of  eyberseeurity,  the  debate  is  about  the  data  types  that  are  useful,  what  data  ean  be 
shared  due  to  polieies,  what  models  to  use  to  share,  and  how  to  address  privaey  and 
seeurity. 

This  thesis  will  inelude  a  study  of  the  legal  barriers  to  eyberseeurity  information¬ 
sharing.  Without  legal  proteetion,  eorporations  worry  that  information  they  share  may  be 
used  as  evidenee  by  the  government  or  in  litigation  that  might  eome  baek  to  haunt 

o  1 

them.  There  have  been  groups  that  have  asked  Congress  for  legal  proteetion  prior  to 
partieipating  in  any  federal  programs.  Possible  barriers  may  exist  in  eurrent  laws 
proteeting  eleetronie  eommunieations  or  in  antitrust  law. 

Organizations  that  share  information  may  also  be  eoneerned  that  sharing  or 
reeeiving  sueh  information  may  lead  to  inereased  eivil  liability,  or  that  shared 
information  may  eontain  proprietary  or  eonfidential  information  that  may  be  exposed  to 
unauthorized  use  by  eompetitors  or  government  regulators. ^2 

These  legal  implieations  have  fueled  debates  among  lawmakers  and  industry, 
suggesting  that  there  is  a  great  need  for  new  laws  to  proteet  organizations  from  sueh 
liability.  Proposed  laws  sueh  as  the  Cyber  Intelligenee  Sharing  and  Proteetion  Aet 
(CISPA)  would  allow  for  the  sharing  of  Internet  traffie  information  between  the  U.S. 
government  and  teehnology  and  manufaeturing  eompanies.^3  jhe  bill  would  help  the 
U.S.  government  investigate  eyber  threats  and  ensure  the  seeurity  of  networks  against 
eyberattaeks.  Unfortunately,  new  laws  sueh  as  this  have  yet  to  be  implemented  beeause 
others  disagree  that  enough  privaey  proteetion  will  be  ineluded  in  the  laws.^^ 


Robinson  and  Disley,  Incentives  and  Challenges  for  Information  Sharing. 

Singer  and  Friedman,  Cybersecurity  and  Cyberwar,  222-246. 

82  “j-pj  Recommendation:  Addressing  Liability  Concerns  Impeding  More  Effective  Cybersecurity 
Information  Sharing,”  Information  Technology  Industry  Council,  accessed  September  2,  2014, 
http://www.itic.org/dotAsset/fae2feab-7b0e-45f4-9e74-64e4c9eceI32.pdf 

HR  624  Cyber  Intelligence  Sharing  and  Protection  Act,  (2013). 

84lbid. 
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In  addition  to  legal  barriers,  this  thesis  will  review  policy  barriers  to  cyber 
information-sharing.  The  debate  includes  organizational  and  national  policies  about  what 
can  be  shared.  Policies  must  exist  within  organizations  to  be  able  to  share  their  data  with 
other  organizations.  In  reviewing  the  literature  associated  with  cyber  information-sharing 
and  policy  development,  there  are  multiple  areas  where  sources  have  identified  a 
requirement  for  Congress  to  develop  new  policies  for  sharing  cyber-threat  information. 
Sharon  Dawes  proposes  a  theoretical  model  for  understanding  how  policy,  practice,  and 
attitudes  interact  and  suggests  two  policy  principles,  stewardship  and  usefulness,  to 
promote  the  benefits  and  mitigate  the  risks  of  sharing. 

According  to  Dawes,  successful  sharing  depends  on  a  policy  that  takes  a  global 
view  of  how  information  resources  can  support  government  services.  It  should  convey  an 
affirmative  expectation  that  government  information  be  used  to  increase  knowledge, 
improve  analysis,  and  inform  decisions  as  well  as  to  administer  programs.  Any 
jurisdiction  seeking  the  benefits  of  interagency  information-sharing  must  adopt  policies 
that  do  more  than  simply  make  sharing  possible.  It  needs  policies  that  make  it  probable 
that  appropriate  problems  will  be  identified  and  that  reasonable  effort  will  lead  to 
success.  Dawes  suggests  two  policy  principles,  information  stewardship  and  information 
use.^^  These  policy  principles  will  be  discussed  later  in  this  thesis. 

The  Mitre  report  includes  trust-building  policies  as  a  way  to  building  trust  and  has 
two  components.  First,  participants  will  develop  trust  in  the  cyber  defense  sharing 
network  as  participants  feel  that  the  information  they  contribute  is  protected.  Second,  the 
network  provides  them  the  opportunity  to  gather  valuable  information  unavailable 
elsewhere,  providing  high  value  back  to  participants. 

Technology  for  automated  information-sharing  is  another  barrier  to  sharing  cyber 
information,  but  there  are  initiatives  working  to  close  the  technology  gap.  In  order  to 


Sharon  S.  Dawes,  “Interagency  Information  Sharing:  Expected  Benefits,  Manageable  Risks,” 
Journal  of  Policy  Analysis  and  Management  15,  no.  3  (1996):  377-394. 

86  Ibid. 

8^  Vazquez  et  ah,  “Conceptual  Framework  for  Cyber  Defense  Information  Sharing,”  1-17. 
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share  information,  there  must  be  a  common  language  and  format  of  how  and  what  to 
share.  Standards  on  information  security  have  been  around  for  a  long  time.  For  example, 

The  standards  that  are  needed  for  sharing  cyber  threat  information  are  fairly  new 
and  not  widely  adopted  yet.  For  example,  there  are  the  NIST  SP-800  standards  for 
security  information  systems.  There  are  also  the  ISO/IEC  27000  series  of  standards  that 
are  part  of  a  growing  family  of  ISO/IEC  Information  Security  Management  Systems 
(ISMS)  standards. Several  emerging  cyber  security  standards  show  early  promise.  Two 
of  them,  the  Structured  Threat  Indicator  Exchange  (STIX)  and  Incident  Object 
Description  Exchange  Eormat  (lODEE)  could  potentially  play  a  pivotal  role  in  protecting 
threat-related  communication  between  sharing  partners.  Eurthermore,  there  are 
overlapping  standards  that  are  causing  problems  for  some  agencies.  Eor  instance,  five 
years  ago,  there  were  no  known  cyber  structured  standards  available  to  exchange  cyber 
threat  information,  but  there  are  now  overlapping  cyber-sharing  standards  that  compete 
for  use  within  organizations.  According  to  Kathleen  Moriarty  of  EMC  Corporation, 
threat  information-sharing  efforts  must  affect  the  most  efficient  response,  and  in  doing  so, 
it  must  ensure  the  threats  shared  are  actionable.  She  goes  on  to  mention  that  there  needs 
to  be  an  efficient  automated  sharing  model  developed.  She  argues  that  if  multiple 
overlapping  standards  are  developed,  the  automation  of  cyber  threat  information  becomes 
a  barrier  to  successful  sharing.  This  thesis  builds  upon  her  work  and  attempts  to  identify 
ways  to  unify  standards  development  in  order  to  have  a  more  consistent  approach  for 
cyber  standards. 

Other  barriers  to  cyber  information-sharing  have  been  identified  such  as  personnel 
clearance  levels  and  the  need  to  access  classified  cyber  information,  concerns  with  the 
value  of  the  data  once  it  is  shared,  and  fears  that  automated  sharing  could  lead  to  the 


88  Yves  Barlette  and  Vladislav  V.  Fomin,  “The  Adoption  of  Information  Security  Management 
Standards,”  in  Information  Resources  Management:  Concepts,  Methodologies,  Tools,  and  Applications 
(Hershey,  PA:  IGI  Global,  2010),  69 

89  Kathleen  Moriarty,  Transforming  Expectations  for  Threat-Intelligence  Sharing  (Hopkinton,  MA: 
EMC,  2013). 

90  Ibid. 
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release  of  too  rnueh  information.  9 1  Aoeording  to  U.S.  federal  elassifieation  guidanee 
poliey,  information  shall  not  be  eonsidered  for  elassifioation  unless  its  unauthorized 
diselosure  eould  reasonably  be  expeeted  to  eause  identifiable  or  deseribable  damage  to 
the  United  States’  national  seeurity,  and  if  it  pertains  to  things  sueh  as  military  plans, 
weapons  systems  or  operations,  foreign  government  information,  intelligenee  aetivities 
and  others.  Polieies  sueh  as  these  prevent  the  sharing  of  eyber  threat  information. 

Aoeording  to  a  Government  Information  Quarterly  report  by  Harold  C.  Relyea,  the 
federal  government  has  not  established  oomprehensive  polieies  to  effeotively  integrate  state 
and  oity  governments  into  the  information-sharing  prooess.  Aoeording  to  the  report,  the 
Government  Aooountability  Offioe  (GAO)  identified  several  barriers  to  sharing  threat 
information  with  state  and  oity  governments.  For  example,  federal  agenoies  say  they  eould 
not  provide  states  and  oities  with  information  due  to  oonoems  over  state  and  looal  offioials’ 
ability  to  seoure  and  proteot  olassified  information,  the  offioials’  laok  of  seeurity  olearanoes, 
and  the  laok  of  integrated  databases.  GAO  indioated  that  these  barriers  eould  be  overoome 
with  proper  training,  new  equipment,  and  adequate  seeurity  olearanoes. 93 

C.  SUMMARY 

The  literature  on  oyberseourity  information-sharing  indioates  that  there  are 
signifioant  barriers  to  eyber  information-sharing  and  that  organizations,  both  private  and 
publio,  have  obstaoles  to  overoome  to  ensure  suooessful  sharing  and  prevention  of  future 
oyberattaoks.  These  obstaoles  inolude  trust,  legal,  and  teohnologioal  barriers.  Other 
obstaoles  inolude  problems  with  privaoy  and  laok  of  inoentives  to  share.  This  thesis  will 
oontribute  to  the  existing  researoh  literature  by  providing  a  ourrent  aooount  of  the 
landsoape  of  what  are  the  barriers  to  eyber  information-sharing  between  publio  and 
private  entities. 

91  Ponemon  Institute,  Exchanging  Cyber  Threat  Intelligence:  There  Has  to  Be  a  Better  Way  (Traverse 
City,  MI:  Ponemon  Institute,  2014). 

92  “The  President,  EO  13526:  Executive  Order  13526:  Classified  National  Security  Information, 
Memorandum  of  December  29,  2009,  Implementation  of  the  Executive  Order  ‘Classified  National  Security 
Information’,  Order  of  December  29,  2009,  Original  Classification  Authority:  United  States,”  The  Federal 
Register,  accessed  September  9,  2014,  http://www.archives.gov/isoo/pdf/cnsi-eo.pdf. 

93Harold  C.  Relyea,  “Homeland  Security  and  Information  Sharing:  Federal  Policy  Considerations,” 
Government  Information  Quarterly  21,  no.  4  (2004):  420-438. 
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III.  METHOD 


A.  INTRODUCTION 

Through  the  sharing  of  cybersecurity  information,  stakeholders  are  provided 
timely  information  on  the  most  critical  threats.  They  can  use  this  important  information  to 
implement  an  effective  solution  that  will  reduce  the  risk  to  their  mission-essential 
services  and  data. 

This  thesis  asks  the  questions,  what  are  the  primary  barriers  to  cyber  information¬ 
sharing  between  government  and  private  sector  organizations?  And,  how  can  these 
barriers  may  be  overcome?  While  some  private  and  public  sector  organizations  have 
begun  to  share  cybersecurity  information,  there  are  still  many  barriers  that  are  preventing 
the  ability  to  share  more. 

A  qualitative  method  of  analysis  through  review  of  literature  sources  was  used  to 
identify  the  barriers  to  cybersecurity  information-sharing  with  an  emphasis  on  issued  of 
trust,  law,  policy,  and  technology.  The  data  were  researched,  coded,  and  categorized  into 
major  themes  related  to  the  research  question  through  the  use  of  a  software  product 
designed  for  qualitative  analysis  called  NVivo. 

B,  LITERATURE  SOURCES 

Literature  sources,  such  as  government  documents,  books,  and  websites  were 
used  to  perform  this  study.  The  primary  source  books  were  focused  on  cyber  security, 
collaboration,  and  information  sharing.  Google  Scholar,  Dudley  Knox  Library,  and  the 
Homeland  Security  Digital  Library  were  used  to  search  for  books  and  other  materials  on 
the  subject.  Other  sources  included  the  websites  for  Department  of  Homeland  Security, 
White  House,  and  Congressional  hearing  sources.  There  were  many  journal  and  trusted 
news  related  websites  that  were  used  as  well.  The  data  collected  to  perform  this  study 
spanned  several  years  and  was  gather  from  books,  journals,  websites.  Congressional 
hearings  and  news  organizations.  Some  notable  works  that  were  included  were  P.W. 
Singer  and  Allan  Friedman’s  Cybersecurity  and  Cyberwar  What  Everyone  Needs  to 
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Know  and  Paul  Rosenzweig’s  Cyber  Warfare:  How  Conflicts  in  Cyberspace  Are 
Challenging  America  and  Changing  the  World. 

C.  INSTRUMENT 

Computer  Assisted  Qualitative  Data  Analysis  Software  (CAQDAS)  ealled  NVivo 
from  QSR  Corporation  was  used  in  data  analysis  for  this  study.  NVivo  has  been  known 
to  support  data  analysis  beeause  of  the  software’s  ability  to  make  the  analysis  transparent 
to  other  researehers,  its  ability  to  manage  large  amounts  of  data,  and  its  assoeiated  seareh 
and  retrieval  features.  There  are  many  benefits  from  using  a  product  like  NVivo  such  as 
creation  of  auditable  footprints,  allowing  the  research  to  be  more  explicit  and  reflective 
on  the  process,  providing  increased  transparency,  and  providing  new  opportunities  for 

data  analysis. 

NVivo  helps  organize  data  for  easy  retrieval  and  analysis.  It  takes  the  place  of  the 
manual  method  of  copying  data,  selecting  sections  of  text,  highlighting,  and  organizing 
into  folders.  NVivo  software  makes  it  possible  to  collect  the  data  with  common  topics  in 
nodes  that  contain  pointers  to  various  sections  of  several  documents.  95 

In  addition  to  the  NVivo  software,  the  NVivo  Toolkit  was  used  to  assist  with  the 
qualitative  analysis.  The  NVivo  Toolkit  was  developed  by  Maureen  O’Neill,  researcher 
at  the  University  of  the  Sunshine  Coast,  Queensland,  Australia.  Through  the  use  of  the 
NVivo  Toolkit,  O’Neill  asserts  that  it  is  possible  to  constantly  interrogate  the  data, 
moving  from  lower  order  to  higher  order  themes,  and  providing  a  higher  degree  study 
through  four  stages  as  shown  in  Figure  1.96 

While  NVivo  software  helps  with  recording  and  analysis  of  the  data,  it  is  not 
designed  to  be  a  mechanism  to  automatically  reach  conclusions.  Hence,  it  is  still  the 
researcher  who  uses  the  NVivo  software  to  organize  data,  continuously  looking  for 
relationships  with  or  contradictions  to  the  data,  shadowing  the  data  in  broad  literature  and 

94  Maureen  O’Neill,  “NVivo  Toolkit,”  QSR  Corporation,  accessed  April  19,  2014, 
http://explore.qsrintemational.com/nvivo-toolkit. 

95  Bengt  Edhlund,  NVivo  Essentials,  Raleigh,  NC:  Lulu.com,  2007. 

96  Ibid. 
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research  context,  and  formulating  findings.  The  core  of  NVivo  is  that  the  researcher  is  the 
one  who  analyses  data  and  not  the  software  itself  97 

Key  to  the  qualitative  analysis  process  is  diminishing  any  doubt  surrounding  the 
reliability  and  validity  of  qualitatively  produced  findings,  and  formulating  a  serious 
method  of  data  analysis.  Successful  research  using  qualitative  data  relies  on  the  rigor 
and  thoroughness  of  the  data  analysis  methods.  The  findings  of  this  study  are  validated 
based  on  the  vast  data  collection  and  qualitative  analysis  tool  that  was  used  for  analyzing, 
coding,  and  presenting  the  theme  of  the  data.  By  using  a  tool  such  as  NVivo,  themes  were 
rendered  automatically  from  the  data  of  the  sources.  Through  reflection  of  the  themes  and 
the  data,  it  allowed  for  re-examination  and  confirmed  certain  aspects  of  this  research. 

The  NVivo  Toolkit  describes  the  process  of  using  the  software  in  four  steps  as 
explained  in  the  next  section.  Each  step  must  be  completed  before  entering  the  next  step. 
This  model  of  qualitative  research  is  similar  to  the  process  that  was  designed  by  Rudolph 
Sinkovics  and  Eva  Alfoldi.99 

D,  PROCEDURES 

Successful  research  using  qualitative  data  relies  on  the  rigor  and  thoroughness  of 
the  data  analysis  methods  and  how  qualitative  data  can  be  rigorously  analyzed.  The 
following  procedures  were  used  in  conducting  this  study: 

•  Descriptive:  Enter  data  sources  in  to  NVivo 

•  Topic:  Organize  and  code  data 

•  Analytic:  Analyze  and  query  data 

•  Conclusion:  Draw  answers  from  data 

The  first  step,  descriptive,  involves  entering  the  project  details  into  NVivo  such  as 
the  project  information,  and  sources.  The  sources  identified  in  the  “Eiterature  Review” 

97  O’Neill,  “NVivo  Toolkit.” 

98  Matthew  B.  Miles  and  A.  Michael  Huberman,  Qualitative  Data  Analysis:  An  Expanded  Sourcebook 
(Thousand  Oaks,  CA:  SAGE,  1994). 

99  Rudolf  R.  Sinkovics  and  Eva  A.  Alfoldi,  “Facilitating  the  Interaction  between  Theory  and  Data  in 
Qualitative  Research  using  CAQDAS,”  in  Qualitative  Organizational  Research:  Core  Methods  and 
Current  Challenges,  eds.  Gillian  Symon  and  Catherine  Cassell  (London:  SAGE,  2012),  21. 
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chapter  include  internal  sources  such  as  websites,  pdf  documents,  and  Microsoft  Word 
documents  from  literature  of  on  cybersecurity  information-sharing.  The  external  sources 
are  the  books  and  other  items  that  were  cited  using  the  tool  RefWorks.  RefWorks  data 
were  imported  into  NVivo  and  notes  were  used  to  record  thoughts  and  observations  about 
the  data. 

The  details  of  the  data  sources  collected  were  entered  into  the  research  project 
into  NVivo  sources,  which  contained  the  sub-sections  of  internals,  memos  and 
externals.  Internals  are  primary  research  materials  that  are  imported  or  created  in 
NVivo  that  serve  as  the  data  sources  as  noted  above.  This  includes  any  combination  of 
documents,  PDFs,  audio,  video,  pictures  or  data  sets.  Memos  allow  for  storing  memos 
and  other  recordings  about  the  study.  Externals  are  proxies  that  represent  research 
materials  that  cannot  be  imported  in  to  NVivo,  such  as  books  or  manuscripts. 

The  second  step  in  the  process  includes  abstracting  obvious  topics  from  the 
sources  to  create  nodes.  A  node  is  basically  a  subject,  concept,  process,  or  idea.  In  this 
thesis,  the  nodes  equate  to  the  thesis  research.  The  nodes  that  emerged  as  a  result  of  this 
research  include  trust,  legal,  policy,  and  technology  as  the  main  barriers  to  cyber 
information-sharing. 

The  third  step  is  to  analyze  the  data  in  the  sources  and  merge  the  nodes  into  sets 
or  model  the  data  into  relationships  by  querying  the  data.  This  analytic  step  involved  the 
initial  merging  of  nodes  and  the  running  of  queries.  This  helps  narrow  down  the  top 
barriers  to  cyber  information-sharing.  For  example,  the  initial  nodes  for  the  legal  node 
included  many  nodes  such  as  privacy  laws,  antitrust  laws,  other  cyber  laws,  and  so  on. 
After  querying  and  researching  more  on  the  subject,  the  data  emerged  into  a  single  node 
to  be  legal.  Alan  Bryman  suggests  that  this  is  the  process  of  exploring  more  complex 
aspects  of  the  nodes. This  will  be  described  in  more  detail  in  the  next  section. 


100  Alan  Bryman,  Social  Research  Methods  (Oxford:  Oxford  University  Press,  2012). 

The  sources  analyzed  for  this  thesis  included  approximately  400  items,  including  available  unclassified 
U.S.  government  reports  and  studies  on  cyber  issues  for  the  past  decade  as  well  as  academic  and  other 
studies  available  through  the  NPS  Dudley  Knox  Library  and  other  locations. 

101  Ibid. 
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The  last  step  is  to  reaeh  a  conclusion.  Conclusions  are  more  readily  verified  as  the 

analysis  continues,  but  certainly  do  not  completely  appear  until  the  data  collection  is 

102 

finalized.  For  this  study,  NVivo  assisted  in  organizing  the  data  so  the  analysis  could 
draw  conclusions  that  were  reliable  and  unproblematic.  Chapter  V  will  cover  the 
conclusions  from  this  study. 

E.  DATA  ANALYSIS 

Thematic  analysis  was  used  to  capture  important  categories  in  the  data  in  relation 
to  the  research  questions.  It  revealed  patterns  and  made  sense  of  the  data  in  a  meaningful 
way.  The  data  served  as  evidence  for  the  themes  and  relationships  that  were  established. 

Through  the  use  of  NVivo ’s  automatic  coding  mechanisms,  obvious  topics  were 
drawn  from  the  sources  and  the  data  were  coded.  Coding  in  NVivo  allows  for  the 
grouping  of  related  concepts  to  be  organized  in  containers,  the  aforementioned  nodes. 
This  process  is  facilitated  by  allocating  coding  stripes  and  highlighting  certain  phrases 
and  sentences,  which  denotes  obvious  topics  that  had  originated  from  the  formulation  of 
nodes.  The  following  figure  shows  the  nodes  and  coding  stripes  for  this  study  that  were 
automatically  marked  in  this  study  by  using  the  Auto  Code  feature  of  NVivo. 


102  Matthew  B.  Miles  and  A.  Michael  Huberman,  The  Qualitative  Researcher’s  Companion 
(Thousand  Oaks,  CA:  SAGE,  2002). 
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Certainly  -  and  by  cxlemtoo  security  implies  kuotrui  in  IxHh  physkal  and  virtual  domaiits.  yet 
the  imertMt  has  been  called  a  ‘jilobal  machine  fur  springlnit  surprises'.'  'Diis  makes  ada^nahility 
and  priontization  core  priorities  lor  the  protectioo  ol  critical  intraslnicture. 

Many  of  the  most  intractable  cyber  security  issues  are  inherently  socio-technkal.  'Ihcy  truly 
are  'wit.keif  prohlcnu  (i.e  ciimplex,  ollen  WKU>-te>.hn>i.'a]  polxy  problems),  yet  the  ansielv  they 
pnmiltf  need  not  be  the  tbcml  point  of  sonctal  tmcraciHHi  H-ith  cybercpacc.  The  pohsibiliiics 
uffried  by  cyberspace  are  far  greatet  than  the  dangets  it  conlaitu  niaciy  oT  whkh  are  framed  in 
the  kind  of  dranuiic  and  apocalyptic  language  that  rcieals  dc^r  tears  of  technology  getting  out 
o(  control 

Gocemment  policies  can  shape  the  landscape  for  Setter  or  worse,  but  there  are  no  solutions  that 
will  salisiS'  all  ctakehniderv  since  they  air  shaped  by  the  sub^ecris'e  perspcciim  and  inevilahty 
limited  knowledge  of  deviMun  nukrrs,  As  elsewhere,  sccunty  m  cyberspace  -  and  of  critwal 
iiirrastructure  ijiccifically  -  u  a  means  to  an  end:  it  is  inlendeti  to  tai.t]ilalc  the  provisum  of  a 
mukiludr  of  sodal  and  cvonumK  gouds.  The  task  facing  polky  makers  is  to  design  security 
measutes  that  can  achiese  societal  cunsensus  and  i>mers'e  the  ability  ol  cybetspace  to  flourish, 
thrive  and  provide  these  goods  and  wider  benefits  ihis  is  one  ot  the  most  difhcult  policy 
.  \‘hal!en«e><>f!h<.ear|y.Jl«  cemitrs-,  and  those  Ihftf  can  hnd  ati  OPfimal  bakijice  hrtvreen  Irwdorn 


Figure  2.  NVivo  coding 


Coding  is  the  key  process  of  analysis  through  NVivo.  As  nodes  are  described  as 
the  places  to  store  ideas,  coding  is  the  way  to  store  pointers  to  the  text  about  those  ideas. 
Coding  is  the  computerized  equivalent  of  putting  all  the  relevant  material  into  a  file 
folder  per  each  node.  Coding  not  only  allows  users  to  find  relevant  data  to  research 
questions  quickly,  but  it  also  helps  to  obtain  and  refine  clues  from  materials.  The  coding 
in  Figure  2  shows  the  relevant  coverage  of  the  barriers  to  cyber  information-sharing  and 
the  coding  stripes  are  shown  in  color  at  the  right  side. 

The  editing,  coding,  and  analyzing  process  of  NVivo  could  be  endless  because  it 
can  be  used  to  continuously  reorganize  and  refine  research  ideas.  In  brief,  NVivo  is  used 
to  help  record  and  organize  data,  based  on  certain  categories.  NVivo ’s  functions  are  used 
to  assist  with  the  analysis  by  making  links,  coding,  sorting  and  doing  simple  statistics, 
thus  finding  out  relationships  or  no  relationships.  It  is  more  equivalent  with  this  study’s 
epistemology  and  methodology  than  free-mapping  or  pure  quantitative  studies. 

By  using  the  NVivo  software  tool,  this  thesis  can  help  provide  input  for  future 
research.  The  relevant  theories  of  this  work  concerning  information-sharing  can  further 
add  to  data  analysis  and  discussion.  For  example,  another  researcher  could  show  cyber 
analyst’s  influences  toward  sharing  through  the  addition  of  standard  operating  procedures 
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and  incident  response  data  at  a  security  operations  eenter  for  further  analysis.  In  this  way, 
the  relevant  literature  and  analysis  that  was  already  performed  can  be  utilized  and 
reflected  upon  for  continued  research. 

NVivo  software  is  used  to  identify  themes  and  elassify  the  literature  data.  This  is 
a  very  similar  to  that  described  for  empirical  data  analysis.  The  analytie  stage,  step  3  of 
the  NVivo  Toolkit  proeess,  involved  the  initial  merging  of  nodes  and  the  running  of 
queries.  Bryman  suggests  that  this  is  the  proeess  of  exploring  more  eomplex  aspects  of 

the  nodes.  1*^3 

Earlier,  the  chapter  touched  on  how  the  data  are  analyzed  and  refined  through  the 
use  of  queries.  The  example  explained  how  the  “legal”  node  emerged  by  running  queries 
under  the  many  different  initial  nodes  for  the  different  laws  pertaining  to  cyber 
information-sharing  sueh  as  privacy,  intellectual  property,  liability,  and  antitrust  law.  By 
generating  these  queries,  it  was  found  to  be  mueh  better  to  merge  the  nodes  into  the  one 
node,  legal. 

Other  queries  that  were  performed  were  to  find  the  legal  barriers  and  why  they 
were  barriers.  For  example,  the  antitrust  laws  were  found  to  be  a  barrier  beeause  of  the 
query  of  the  sources  for  antitrust.  By  having  all  the  sourees  available  to  query,  it  was 
mueh  easier  to  find  the  evidence  needed  to  identify  that  antitrust  was  a  major  theme 
under  the  legal  barriers  to  sharing.  Aceording  to  Amitai  Aviram  and  Avishalom  Tor,  the 
contemporary  assessment  of  the  competitive  effects  of  information-sharing  among 
competitors  is  a  showcase  of  the  duality  of  publie  poliey  and  antitrust  law  toward 
cooperation.  104  Seholars  reeognize  the  potential  anti-eompetitive  effeets  of  information¬ 
sharing  among  eompetitors,  but  at  the  same  time  acknowledge  the  soeial  benefits  derived 
from  this  business  praetice.  105 

Through  NVivo’s  coding  process,  queries,  merging  and  continued  analysis,  the 
nodes  that  emerged  to  the  top  of  the  analysis  were  trust,  technology,  policy,  and  legal. 

103  Bryman,  Social  Research  Methods. 

104  Avishalom  Tor  and  Amitai  Aviram,  “Overcoming  Impediments  to  Information  Sharing.”  Alabama 
Law  Review  55,  no.  2  (Winter  2004):  231-279. 

105  Tor  and  Aviram,  “Overcoming  Impediments  to  Information  Sharing.” 
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Therefore,  the  thematic  analysis  of  the  sources  validated  the  fact  that  those  are  the  main 
barriers  to  cyber  information-sharing  and  will  be  the  findings  discussed  in  future 
chapters. 

NVivo  has  multiple  visualization  options,  including  modeling,  to  display 
qualitative  analysis  data.  The  models,  are  used  to  show  the  relationships  between  the 
various  items  and  to  demonstrate  the  theory,  or  how  the  data  supports  the  hypothesis. 
Tables  can  be  used  to  find  out  the  existence  or  non-existence  of  similarities,  differences 
and  relationships.  The  model  in  Figure  3  shows  the  barriers  to  cyber  information-sharing 
from  the  thematic  analysis  of  the  external  data  sources. 


Figures.  NVivo  mapping  model 

It  has  been  suggested  that  the  qualitative  researcher  has  few  guidelines  for  reliable 
and  thorough  findings,  Flowever,  by  using  tools  such  as  NVivo,  a  user  is  able  to  use 
techniques  that  ensure  thoroughness  and  reliability  in  the  analysis  of  the  data  with  a 
higher  degree  of  study  and  validation. 

Conclusions  are  more  readily  verified  as  the  analysis  continues,  but  they  do  not 
completely  appear  until  the  data  collection  is  finalized.  For  this  study,  NVivo  assisted  in 
organizing  the  data  so  the  analysis  could  draw  conclusions  that  were  reliable  and  free 
from  problems. 


106  Miles  and  Huberman,  Qualitative  Data  Analysis. 
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After  completing  the  procedures  in  the  four  steps  of  the  process,  the  author  was 
able  to  translate  from  the  NVivo  project  to  consider  the  meaning  of  higher  order  themes 
for  the  discussion  chapter.  By  using  NVivo  in  support  of  this  analysis,  the  major  themes 
that  emerged  of  the  barriers  to  cybersecurity  information-sharing  include  trust,  legal, 
policy,  and  technology  barriers.  The  conclusions  were  made  by  performing  each  of  the 
four  steps  and  enabled  the  development  of  the  findings  and  recommendations  of  this 
thesis. 
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IV.  RESULTS 


A.  RESEARCH  QUESTIONS 

This  shidy  asks  the  questions,  what  are  the  primaiy  baiiiers  to  cyber  information- 
sharing  between  govenmient  and  private  sector  organizations?  And,  how  can  these 
bairiers  can  be  overcome?  While  some  private  and  public  sector  organizations  have 
begiui  to  share  cyberseciuity  information,  there  are  still  many  barriers  that  are  preventing 
the  ability  to  share  more.  As  explained  previously,  more  than  300  sources  of  uiformation 
were  gathered  and  researched  (see  Appendix  A).  Through  the  research  of  the  literature 
and  the  use  of  NVivo  to  help  organize  and  query  the  data,  it  is  evident  that  the  barriers  to 
sharing  cyber  information  are  primarily  trnst,  legal,  policy,  and  technology.  These  major 
themes  that  emerged  from  the  data  provide  a  vivid  observation  of  the  baniers  to  cyber 
information-sharing.  Figiue  4  displays  the  results  of  the  analysis  and  shows  the  total 
items  that  were  coded  and  the  number  of  coding  references  for  each  theme. 
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Figiue  4.  Results 
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1. 


Trust 


The  basic  element  of  trust  was  identified  as  a  major  theme.  There  has  been  a  lot  of 
research  and  development  in  the  field  of  computational  trust  in  the  past  decade.  Much  of 
it  has  acknowledged  or  claimed  that  trust  is  a  good  thing,  Trust  is  an  important  factor 
when  developing  sharing  partnerships  and  is  found  to  be  one  of  the  major  barriers  to 
sharing  cybersecurity  information. 

Trust  is  identified  as  one  of  the  strategic  keystones  of  the  Office  of  the  Director  of 
National  Intelligence  (ODNI),  Intelligence  Community,  Information  Sharing  Strategy.  1^8 
According  to  the  ODNI,  the  “need-to-know”  culture  led  to  practices  that  inhibit 
information-sharing  today.  Multiple  organizations  establish  their  own  classification  rules 
and  procedures,  resulting  in  inconsistent  use  and  understanding  of  security  markings. 
Differing  requirements  for  access  and  certification  and  accreditation  inhibit  trust  across 
the  intelligence  community.  The  key  concepts  are  the  need  for  consistent  certification  and 
accreditation  practices,  uniform  information  security  standards,  and  uniformity  across  the 
intelligence  community  for  accessing  data  to  enable  information-sharing.  1^9 

Additional  evidence  of  the  importance  of  trust  is  suggested  by  a  study  conducted 
by  MITRE  Corporation,  no  study  revealed  a  high  degree  of  trust  is  required  to  share 
cybersecurity  information  and  that  is  a  barrier.  In  the  study,  MITRE  found  that  it  may  be 
difficult  to  share  cybersecurity-related  information  between  a  for-profit  company  and  its 
competitors  or  among  government  agencies  due  to  conflict-of-interest  issues.  The  study 
also  suggests  that  members  may  be  reluctant  to  share  information  with  another  company 
that  is  trying  to  maximize  profits  while  acting  as  a  trusted  third  party. 

In  another  study  performed  by  the  European  Network  and  Information  Security 
Agency  (ENISA),  it  was  noted  that  formal  means  for  sharing  information  should  be  set 

Stephen  Marsh  and  Mark  R.  Dibben,  “Trust,  Untrust,  Distrust  and  Mistrust-an  Exploration  of  the 
Dark  (Er)  Side,”  in  Trust  Management,  17-33  (New  York:  Springer,  2005). 

Office  of  the  Director  of  National  Intelligence,  United  States  Intelligence  Community  Information 
Sharing  Strategy  (Washington,  DC:  Office  of  the  Director  of  National  Intelligence,  Feb.  22,  2008). 

109  Ibid. 

1 10  “Cyber  Information- Sharing  Models:  An  Overview,”  Mitre,  accessed  February  12,  2014, 
http://www.mitre.org/sites/default/fiies/pdficyber_info_sharing.pdf 
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up  in  order  to  improve  the  proteetion  and  rapid  restoration  of  infrastrueture  eritieal  to  the 
reliability  of  communieations  within  and  throughout  Europe,  m  The  study  finds  that 
eompanies  may  be  reluctant  to  share  information  directly  with  a  government  agency,  due 
to  fears  of  information  being  leaked  or  disclosed  by  Freedom  of  Information  Act 
requests.  In  addition,  there  are  cultural  barriers  that  often  lead  companies  to  distrust  the 
government.  Companies  need  to  feel  that  the  benefits  they  gain  by  sharing  sensitive 
information  with  the  government  must  outweigh  the  risks;  often,  this  barrier  is  not 

crossed.  112 

Other  evidence  that  trust  is  a  key  factor  for  information-sharing  is  from  a 
conference  that  was  held  in  Boston,  Massachusetts,  at  the  Advanced  Cyber  Security 
Center  (ACSC)  in  November  2013.  The  conference  reviewed  some  of  the  barriers  to 
cyber  information-sharing  and  trust  was  a  major  topic.  At  the  conference,  Phyllis 
Schneck,  deputy  under  secretary  for  cyber  security  for  the  National  Protection  and 
Programs  Directorate  of  the  U.S.  Department  of  Homeland  Security,  stated  that  her 
number  one  priority  is  building  trust  between  the  government  and  the  private  sector.  She 
also  said  that  the  cybersecurity  community  has  the  ability  to  defeat  this  adversary,  by 
building  trust.  Furthermore,  global  situational  awareness  is  the  dream,  and  DHS  plans  to 
engaging  people  within  the  community  to  get  their  trust  and  by  incentivizing 
companies.  113 

With  the  recent  NSA  leaks  and  the  WikiFeaks  problems  there  are  even  more  trust 
barriers  to  cyber  information-sharing  between  public  and  private  entities,  n^i  In  a  recent 
FedScoop  article,  Dan  Verton  discusses  the  ongoing  problem  with  the  NSA  Edward 
Snowden  leaks  and  the  problems  faced  with  sharing  cyber  information  with  public  and 
private  sector  because  of  the  lack  of  trust  based  on  leaked  information.  According  to 
the  article,  Farry  Castro  of  the  NSA  said  that  the  Snowden’s  unauthorized  disclosures 

111  Robinson  and  Disley,  Incentives  and  Challenges  for  Information  Sharing. 

112  Ibid. 

112  Blevins,  “Experts  Propose  Better  Cybersecurity  Information- Sharing  Models.” 

114  Ibid. 

112  Dan  Verton,  “NSA  Leaks  Threaten  Global  Cybersecurity  Information  Sharing,”  FedScoop, 
October  16,  2013,  http://fedscoop.com/nsa-leaks-threaten-global-cybersecurity-information-sharing/. 
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took  the  wind  out  of  the  sails  of  what  was  a  growing  agreement  that  the  NS  A  had  a  very 
direet  role  to  play  in  supporting  the  Department  of  Homeland  Seeurity  (DHS)  and 
providing  actionable  cyber-threat  information. 

The  Office  of  the  Director  of  National  Intelligence  (ODNI)  was  created  based  on 
the  recommendation  of  the  9/11  Commission  because  of  the  failed  intelligence  sharing 
that  could  have  prevented  the  attacks  of  that  day.  After  the  WikiLeaks  scandal, 
intelligence  officials  defended  information-sharing  practices,  and  claimed  that  it  was 
possible  to  reconcile  these  practices  with  strong  security.  They  are  likely  about  to 
come  under  renewed  political  pressure,  as  a  result  of  Sunday’s  revelations.  According  to 
the  Washington  Post,  after  the  leaked  information,  the  ODNI  and  the  Intelligence 
Community  now  have  stricter  rules  for  information. n*  Now  that  the  leaked  NSA 
information  is  in  the  open  source,  there  are  many  implications  that  will  plague  us  for  this 
for  years  to  come.  Some  experts  agree  that  the  leaks  will  make  the  United  States  require 
more  transparency  of  federal  programs.''^ 

According  to  Col.  Cedric  Leighton,  the  former  NSA  deputy  director  of  training  at 
the  Bloomberg  Enterprise  Technology  Summit  in  New  York  City,  ,  Snowden’s  leaks  had 
performed  a  significant  disservice  to  the  worldwide  health  of  the  Internet.  120  Leighton 
was  talking  about  the  recent  moves  by  Brazil  and  other  countries  to  reconsider  the 
decentralized  nature  of  the  foundation  of  the  Internet. 

Trust  is  a  major  theme  in  any  type  of  information-sharing,  not  just  cybersecurity. 
David  Sutton,  an  expert  in  cybersecurity  and  critical  infrastructure  protection  explains 
that  whatever  their  focus,  partnerships  require  that  a  fundamental  level  of  trust  be 

National  Commission  on  Terrorist  Attacks  upon  the  United  States,  The  911  Commission  Report, 

567. 

^  ^  2  Information  Sharing  in  the  Era  of  WikiLeaks:  Balancing  Security  and  Collaboration:  Hearing 
Before  the  Committee  On  Homeland  Security  and  Governmental  Affair,  1 12th  Cong  (2011). 

Henry  Farrell,  “Snowden-Type  Leaks  Will  Force  the  U.S.  to  be  More  Transparent,”  Washington 
Post  Blog,  http://www.washingtonpost.eom/blogs/monkey-cage/wp/2014/02/24/snowden-type-leaks-will- 
force-the-u-s-to-be-more-transparent/. 
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120  Zack  Whittaker,  “Former  NSA  Executive:  Snowden  Leaks  Caused  ‘Significant  Disservice’  to  the 
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established  between  the  partners  in  order  to  have  any  ehanee  of  sueeess.i^i  in  parallel 
with  trust,  there  is  also  a  need  to  share  information  between  partners,  whieh  must  be 
earried  out  in  a  eontrohed  and  seeure  manner.  Aeeording  to  Sutton,  the  issue  of  trust  is 
the  fundamental  to  the  formation  of  Publie-Private  Partnerships  (PPPs).  Furthermore,  if 
trust  eannot  be  established  or  if  it  breaks  down  for  any  reason,  the  extent  to  whieh 
information  may  be  shared  and  the  resulting  effeetiveness  of  a  PPP  will  be  signiheantly 
redueed.  ^23 

Issues  related  to  trust  need  to  be  understood  and  addressed  before  an  organization 
launehes  a  new  sharing  initiative.  ^24  As  this  analysis  shows,  trust  is  the  basie  theme  that 
is  needed  in  order  to  be  able  to  begin  to  share  information.  The  next  ehapter  will  examine 
ways  to  overeome  the  trust  issues  sueh  as  using  a  trust  relationship  model  approaeh  to 
sharing  as  well  as  information-sharing  agreements  to  legally  bind  the  trust  relationship. 

2,  Legal 

Another  theme  that  arose  in  the  analysis  as  a  main  barrier  to  eyber  information¬ 
sharing  are  legal  issues.  The  findings  revealed  that  the  legal  barriers  to  eyberseeurity 
information-sharing  are  privaey,  antitrust  and  liability  issues,  and  proteetion  of 
eonfidential  information.  Aeeording  to  the  Heritage  Foundation,  the  first  element  of  any 
legislation  must  be  to  enable  and  foster  information-sharing  between  the  publie  and 
private  seetors,  and  among  private-seetor.  Furthermore,  any  legislation  must  provide 
robust  proteetion  for  privaey  and  individual  freedoms. 

The  112th  Congress  tried  to  pass  eomprehensive  eyberseeurity  legislation.  The 
Cyber  Intehigenee  and  Sharing  Proteetion  Aet  (CISPA),  passed  the  House  of 


l^^Sutton,  “The  Issue  of  Trust  and  Information  Sharing,”  258-276. 
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Security ,  Prosperity,  and  Freedom  in  Cyberspace  (Washington,  DC:  The  Heritage  Foundation,  2013). 
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Representatives,  but  no  law  was  produced.  126  Also  introduced  was  the  Cybersecurity  Act 
(CSA)  of  2012,  also  known  as  the  Lieberman-Collins  bill.  According  to  The  Heritage 
Foundation,  the  CSA  failed  to  pass  because  of  differences  among  members  of  Congress 
regarding  how  the  nation  should  approach  the  growing  challenge  of  cybersecurity.  127 
key  revision  to  the  CSA  made  cybersecurity  standards  voluntary,  but  some  agencies’ 
regulations  would  have  made  them  mandatory  in  specific  sectors.  Many  stakeholders 
think  that  regulation  is  not  the  way  to  go  for  fostering  sharing  cybersecurity  information; 
therefore,  the  CSA  did  not  become  law.  128 

The  Cyberspace  Policy  Review  explains  that  private  organizations  are  concerned 
that  certain  federal  laws  might  prevent  full  collaborative  partnerships  and  operational 
information-sharing  between  the  private  sector  and  government.  129  An  example  of  this 
cited  in  the  review  is  collusion  where  information-sharing  and  collective  planning  occurs 
among  members  of  the  same  sector  under  existing  partnership.  Another  example  is  the 
reluctance  to  share  because  the  company  does  not  want  to  disclose  sensitive  or 
proprietary  business  information  to  federal  government,  such  as  vulnerabilities  and  data 
or  network  breaches. 

Although  there  are  laws  to  protect  companies  from  this,  such  as  the  Trade  Secrets 
Act  and  the  Critical  Infrastructure  Information  Act,  which  addresses  concerns  with 
respect  to  the  Freedom  of  Information  Act  (FOIA),  there  is  still  much  reluctance  to 
share.  120  In  addition,  companies  are  also  concerned  about  harm  to  their  reputation, 
liability,  or  regulatory  consequences  in  regards  to  sharing.  This  works  both  ways  too,  in 
that  the  federal  government  will  limit  the  information  it  will  share  with  the  private 


126  Cyber  Intelligence  Sharing  and  Protection  Act,  2013.  HR  624  (2013). 
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120  Uniform  Trade  Secrets  Act  with  1985  Amendments;  Critical  Infrastructure  Information  Act  of 
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companies  because  of  the  need  to  protect  sources  and  methods  or  the  privaey  rights  of 
individuals. 

Antitrust  laws  provide  important  safeguards  against  unfair  competition,  and  FOIA 
helps  ensure  transpareney  in  government  that  is  essential  to  maintain  public  confidence. 
The  eivil  liberties  and  privaey  community  has  expressed  concern  that  extending 
protections  would  only  serve  as  a  legal  shield  against  liability.  131  In  addition,  the 
ehallenges  of  information-sharing  can  be  further  complieated  by  the  global  nature  of  the 
information  and  communications  marketplace.  When  members  of  industry  operating  in 
the  United  States  are  foreign-owned,  mandatory  information-sharing,  or  exelusion  of 
such  companies  from  information-sharing  regimes,  can  present  trade  implieations.  132 

Sharing  between  the  private  sector  and  the  government  is  ehallenging  because  of 
the  legal  proteetions  that  private  seetor  needs  in  order  to  share  their  information.  One 
problem  is  that  private  seetor  eompanies  worry  that  information  they  share  may  be  used 
against  them  by  the  government.  In  a  report  by  the  Congressional  Researeh  Serviee 
(CRS),  polieymakers  argued  that  there  is  a  need  for  the  federal  government  and  owners 
and  operators  of  the  nation’s  critieal  infrastruetures  to  share  information  on 
vulnerabilities  and  threats  and  to  promote  information-sharing  between  the  private  and 
public  sectors  in  order  to  proteet  eritieal  assets  from  cyberseeurity  threats.  133  Private 
seetor  entities  may  wish  to  share  information  with  one  another  about  threats  they  have 
faeed  or  are  currently  facing.  They  may  also  wish  to  collaborate  on  solutions  to  these 
issues.  Additionally,  the  government  may  have  information  about  cybersecurity  threats 
that  would  be  similarly  useful  to  potential  targets  in  the  private  seetor.  The  government 
may  see  value  in  having  aceess  to  information  from  the  private  seetor  about  eybersecurity 
threats.  The  CRS  report  explains  that  obstacles  to  information-sharing  may  exist  in 
current  antitrust  laws.  Private  entities  that  share  information  may  be  concerned  that 
sharing  cyber  threat  information  may  lead  to  increased  civil  liability,  or  that  shared 

131  The  White  House,  Cyberspace  Policy  Review. 

132  Ibid. 

133  Edward  C.  Liu  et  ah,  Cybersecurity:  Selected  Legal  Issues  (CRS  Report  No.  R42409) 

(Washington,  DC:  Congressional  Research  Service,  2012). 
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information  may  contain  proprietary  or  confidential  business  information  that  may  be 
used  by  competitors. 

The  Comprehensive  National  Cybersecurity  Initiative  #5  (CNCI-5)  information¬ 
sharing  architecture  (ISA)  provides  the  architecture  guidance  that  the  federal  cyber 
centers  use  to  enable  cyber  information-sharing.  The  ISA  provides  a  risk  chart  and  there 
are  several  a  high  risk  items.  One  high  risk  item  is  that  authorities  and  legal  restrictions 
(or  lack  of  clear  guidance)  may  prevent  sharing.  The  CNCI-5  program  management  team 
is  working  to  resolve  these  risks  through  policy  working  groups  that  include  legal 
representation  from  the  centers. 

In  another  report  developed  by  analysts  at  U.S.  STRATCOM,  legal  issues  that 
specifically  deal  with  cybersecurity  and  information-sharing  are  identified  as  the  USA- 
PATRIOT  Act  (Patriot  Act)  Foreign  Intelligence  Surveillance  Act  (FISA)  Federal 
Acquisition  Regulation  (FAR)  Intellectual  Property  Antitrust  Law  Title  10  &  Title  50 
Freedom  of  Information  Act  (FOIA)  and  Federal  Advisory  Committee  Act  (FACA).'^"^ 
This  report  provides  a  comprehensive  overview  of  the  laws  pertaining  to  cybersecurity 
and  collaboration  between  public  and  private  organizations  such  as  the  USA-PATRIOT 
Act  (Patriot  Act),  and  the  Foreign  Intelligence  Surveillance  Act  (FISA).  The  legal 
recommendations  include  proposed  amendments  to  laws  cited  as  perceived  or  actual 
barriers  to  collaboration,  which  include  the  Foreign  Intelligence  Surveillance  Act  (FISA), 
the  Freedom  of  Information  Act  (FOIA),  Antitrust  Law,  and  the  Federal  Advisory 
Committee  Act  (FACA).  135 

These  same  legal  concerns  were  addressed  in  a  report  that  was  published  over 
fourteen  years  ago  by  the  U.S.  Air  Force  Institute  for  National  Security  Studies.  The 
USAF  report  also  cited  two  additional  legal  issues,  concerns  about  the  release  of  national 


134  Frederick  Bartell  et  al.,  Collaborating  with  the  Private  Sector  (Fort  Belvoir:  Defense  Technical 
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security  material  and  barriers  with  the  cooperation  with  law  enforcement  agencies  which 
are  still  concerns  today.  136 

3.  Policy 

Another  barrier  to  cybersecurity  information-sharing  and  a  theme  that  evolved 
from  the  analysis  is  policy  issues.  The  policy  issues  can  be  categorized  into  three  areas 
and  consist  of  policies  related  to  legal  issues  to  include  liability  and  privacy,  inter- 
organizational  agreements  for  sharing  and  connection,  and  other  policy  issues  including 
organizational  and  federal  policies  for  sharing  cybersecurity  information.  According  to 
the  Heritage  Foundation,  Congress  should  pursue  a  cybersecurity  policy  that  avoids  a 
cumbersome  and  expensive  regulatory  approach  and  enables  information-sharing  instead 

1  -5  "7 

of  regulating  it. 

a.  Liability  and  Privacy  Policy  Concerns 

According  to  a  report  by  CSIS,  organizations  follow  the  guidance  derived  from 
the  Executive  Order  12333  that  implements  the  Privacy  Act  of  1974  or  the  Electronic 
Communications  Privacy  Act  (ECPA).i38  These  documents  ensure  that  privacy  rights  of 
U.S.  persons  are  protected.  The  problem  with  these  policies  is  that  they  were  not 
developed  with  the  idea  that  we  had  to  defend  networks  from  malicious  activity. 

Members  of  Congress  have  been  engaged  in  cyber  legislative  discussions  within 
the  past  few  years.  Although  they  generally  agree  that  comprehensive  cyber  reforms  are 
necessary  to  protect  both  private  and  government  information  systems,  there  are  serious 
disagreements  over  the  details  of  the  development  and  implementation  of  policy.  139  For 
example,  congressional  staff  has  been  debating  about  the  role  of  the  federal  government 


136  Steven  M.  Rinaldi,  Sharing  the  Knowledge:  Government-Private  Sector  Partnerships  to  Enhance 
Information  Security  (Colorado  Springs,  CO:  USAF  Institute  for  National  Security  Studies,  2000). 

137  Bucci,  Rosenzweig  and  Inserra,  A  Congressional  Guide. 

138  Adriane  Lapointe,  Oversight  for  Cybersecurity  Activities:  Why  Intelligence  Policies  Won ’t  Work, 
and  What  Kind  of  Approach  Will  (Washington,  DC:  Center  for  Strategic  and  International  Studies,  n.d.) 
http://csis.org/files/publication/101202_Oversight_for_Cybersecurity_Activities.pdf 

139  Bucci,  Rosenzweig  and  Inserra,  A  Congressional  Guide. 
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and  the  responsibility  and  eapabilities  of  DHS.i^o  in  addition,  they  also  have  been 
debating  about  the  role  of  the  private  seetor  and  how  information-sharing  between  private 
seetor  and  government  would  be  done.  There  are  also  debates  over  what  standards  should 
be  used  for  proteeting  eritieal  infrastrueture  as  well  as  how  to  best  develop  the  future  of 
our  eyber-seeurity  workforee. 

These  debates  are  hampered  by  the  limitations  of  Exeeutive  Orders.  Under  eurrent 
law,  ineluding  the  Eleetronie  Communieations  Privaey  Aet  and  antitrust  laws,  the 
eompanies  that  wish  to  share  information  with  the  government  in  order  to  help  thwart 
eyberattaeks  may  faee  eivil  and  possibly  eriminal  penalties,  These  liabilities  prevent 
the  private  seetor  from  sharing  with  the  federal  government.  The  Cyberseeurity 
Intelligenee  Sharing  and  Proteetion  Aet  (CISPA)  introdueed  in  both  the  112th  and 
1 13th  eongressional  sessions  attempted  to  address  these  liabilities  but  failed  to  be 
approved.  1  findings  eonelude  that  the  government  needs  more  polieies  in  plaee  to 

proteet  information  systems  and  infrastrueture.  Sinee  the  Edward  Snowden  leaks  the 
publie  has  eoneerns  about  their  private  information  possibly  being  used  by  the 
government.  143  Sinee  private  industry  has  a  responsibility  to  both  its  eonsumers  and  the 
government,  a  further  debate  needs  to  happen  in  order  to  balanee  the  issue  of  sharing 
between  private  seetor  and  government. 

Aeeording  to  the  NIST,  a  key  ehallenge  for  privaey  has  been  the  diffieulty  in 
reaehing  eonsensus  on  definition  and  seope  management,  given  its  nature  of  being 
eontext-dependent  and  relatively  subjeetive.i44  The  Eair  Information  Praetiee  Prineiples 
(EIPPs) — developed  in  the  early  stages  of  eomputerization  and  data  aggregation  to 
address  the  handling  of  individuals’  personal  information  has  beeome  foundational  in  the 

140  Ibid. 

141  Rinaldi,  Sharing  the  Knowledge. 

142  Pauline  C.  Reich,  “Culture  Clashes:  Freedom,  Privacy,  and  Government  Surveillance  Issues 
Arising  in  Relation  to  National  Security  and  Internet  Use,”  in  Law,  Policy,  and  Technology  (Hershey  PA: 
IGI  Global,  2012),  200-278. 

143  Whittaker,  “Former  NSA  Executive.” 

144  “NIST  Roadmap  for  Improving  Critical  Infrastructure  Cybersecurity,”  National  Institute  of 
Standards  and  Technology  (NIST),  February  12  2014, 
http://www.nist.gov/cyberffamework/upload/roadmap-021214.pdf 
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current  conception  of  privaey.  They  have  been  used  as  a  basis  for  a  number  of  laws  and 
regulations,  as  well  as  various  sets  of  privaey  principles  and  frameworks  around  the 
world.  The  FIPPs,  however,  are  a  proeess-oriented  set  of  prineiples  for  handling 
personal  information.  They  do  not  purport  to  define  privaey  in  a  way  that  has  enabled  the 
development  of  a  risk  management  model  nor  do  they  provide  speeific  teehnical 
standards  or  best  praetiees  that  ean  guide  organizations  in  implementing  eonsistent 
proeesses  to  avoid  violating  the  privacy  of  individuals. 

Furthermore,  the  laek  of  risk  management  model,  standards,  and  supporting 
privaey  metries,  makes  it  difficult  to  assess  the  effeetiveness  of  an  organization’s  privaey 
proteetion  methods.  Polieies  are  often  designed  to  address  business  risks  that  arise  out  of 
privacy  violations,  such  as  reputation  or  liability  risks,  rather  than  foeusing  on 
minimizing  the  risk  of  harm  at  an  individual  or  societal  level.  According  to  NIST,  there 
are  few  identifiable  teehnieal  standards  or  best  praetiees  to  mitigate  the  impaet  of 
eyberseeurity  activities  on  individuals’  privacy  or  civil  liberties.  1^6 

b.  Sharing  and  Interconnection  Agreements 

There  is  a  lack  of  clearly  defined  steps  that  industry  can  take  when  partnering  in 
government  eyberseeurity  aetivities.  Some  reeommendations  identified  in  the  literature 
were  from  Mitre  and  the  Enduring  Security  Framework  Operations  Group.  The 
reeommendation  was  that  the  government  should  initiate  government-industry 
agreements  that  enable  industry  to  share  information  that  is  proteeted  and  aligned  with 
other  information  that  is  provided  by  the  industry.  1^7  information  ean  be  used  in  a 
non-attributed  type  of  product  that  can  then  be  shared  with  other  participants.  The 
agreement  needs  to  elearly  define  when  and  to  what  extent  information  is  shared. 

In  addition,  the  agreement  should  include  specifie  clauses  that  are  common  to  all 
industry  participants  and  that  may  be  tailored  to  speeifie  aspects  of  the  sharing 

145  “NIST  Cybersecurity  Framework,”  NIST,  accessed  June  2,  2014, 
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf. 
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transactions.!'^^  For  example,  the  elauses  may  inelude  specifie  information  about  an 
individual  eompany’s  partieular  involvement,  where  the  entire  agreement  outlines  all 
expeetations  and  limitations  on  overall  industry  involvement  in  the  initiative. 
Furthermore,  as  new  eompanies  are  ineorporated  into  the  sharing  initiative,  modifieations 
for  their  partieular  agreement  should  be  identified  and  ineluded  as  best  praetiees  for  other 
agreements  that  are  under  development, 

c.  Federal  Cyber  Sharing  Policies 

Aecording  to  the  Federal  Trade  Commission  (FTC)  antitrust  guidelines,  seetor 
speeific  ageneies  should  eoordinate  with  the  Department  of  Justiee  (DOJ)  Antitrust 
Division  in  the  development  of  a  eritieal  infrastructure  proteetion  business  review 
training  module  that  will  outline  the  proeess  available  to  industry  for  eollaborations  with 
eritieal  infrastructure  protection  partners.!^*!  In  addition,  the  sector  specific  agencies  in 
eonjunetion  with  the  DOJ  should  provide  training  on  the  aspects  of  antitrust  specifically 
related  to  eyberseeurity  efforts  and  antitrust  compliance  so  that  government  and  industry 
remain  edueated  on  and  sensitive  to  methods  that  ean  mitigate  this  eoneern  and  ensure 
antitrust  eomplianee. 

4,  Technology 

Teehnology  issues,  speeifieally  the  automation  of  eyber  information-sharing,  were 
also  identified  in  the  analysis  as  a  barrier  to  eyber  information-sharing.  The  eyberseeurity 
information  needed  to  be  shared  ineludes  eyber  threat  indieators,  malware  findings, 
ineidents,  and  vietim  information.  Currently,  these  types  of  data  are  shared  in  the  way  of 
reports  via  email,  websites,  and  data  feeds.  The  reports  are  shared  as  word  doeuments, 
PDF  files,  or  even  XML  feeds  via  email  or  links  from  websites.  There  is  very  little  in  the 

Enduring  Security  Framework  Operations  Group,  Threat  and  Vulnerability  Information  Sharing 
Working  Panel  Final  Report  (unpublished  manuscript,  January  2010). 
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for  Collaborations  among  Competitors,  April  2000,  http://www.ftc.gov/sites/default/files/documents 
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way  of  automated  information-sharing.  The  automated  sharing  of  eyber  information  is  the 
main  push  for  organizations  and  is  identified  as  one  of  the  main  barriers. 

Differences  in  technological  capabilities  of  government  agencies  and  in  the 
private  sector  such  as  the  availability  of  information-sharing  capabilities  and  skilled 
employees  to  develop  these  systems  present  an  important  challenge  in  cyber  information¬ 
sharing.  Furthermore,  the  lack  of  standardized  systems  and  data  structures  limit  the 
success  of  information-sharing  initiatives.  The  technologies  needed  to  enable  a  successful 
cyber  information-sharing  capability  should  include  middleware  services  such  as  web 
services  and  data  transformation  services,  web  portals,  content  management  and  content 
discovery,  identity  control  and  access  management  (ICAM)  and  data  tagging,  structured 
languages  to  share  common  data,  and  cross  domain  solutions  to  enable  sharing  across 
multiple  security  domains.  The  next  chapter  will  provide  a  discussion  of  the  technology 
recommendations  for  a  successful  information-sharing  architecture. 

B,  VALIDITY  OF  FINDINGS 

The  validity  of  these  results  is  addressed  by  constantly  reviewing  the  findings  and 
querying  the  data  with  multiple  query  terms.  Any  relevant  new  data  that  emerged  from 
this  step  was  integrated  into  the  findings  for  further  analysis.  In  addition,  NVivo  software 
was  used  to  assist  with  organization  of  content,  coding,  and  theme  identification  by 
providing  the  automated  capability  to  narrow  down  the  results  of  the  thesis  and  therefore 
identifying  the  findings.  According  to  Creswell,  the  advantages  of  using  a  computer 
program  to  assist  with  data  analysis  is  that  it  provides  a  way  to  organize  and  file  data  for 
quick  access;  it  forces  the  investigator  to  look  closely  at  the  data  and  think  about  what 
each  sentence  might  mean;  it  provides  a  mapping  feature  which  allows  visibility  into  the 
relationships  among  the  data;  finally,  it  allows  easy  retrieval  of  the  data.  1^2 


1^2  John  W.  Creswell,  Qualitative  Inquiry  and  Research  Design:  Choosing  among  Five  Approaches 
(Thousand  Oaks,  CA:  SAGE,  2012). 
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V.  FINDINGS 


A.  INTRODUCTION 

This  thesis  identified  some  of  the  primary  barriers  to  eyber  information-sharing 
between  government  and  the  private  seetor  and  how  these  barriers  may  be  overeome. 
Through  the  study,  it  has  been  determined  that  if  organizations  implemented  better 
praetiees  of  sharing  cyber  threat  information,  they  could  use  this  information  to  protect 
their  networks  and  ultimately  our  infrastructure  would  be  more  secure. 

After  analyzing  the  data  from  the  sources  of  this  study,  it  is  evident  that  the 
barriers  to  sharing  of  cybersecurity  information  are  not  much  different  than  barriers  when 
sharing  other  types  of  information  such  as  law  enforcement  or  intelligence  information. 
The  major  factors  that  contribute  to  cyber  information-sharing  barriers  were  found  to  be 
trust,  legal,  policy,  and  technology.  The  next  section  will  identify  the  factors  to  enable 
more  successful  sharing  of  cyber  information  such  as  incentives,  trust  relationships,  and 
sharing  agreements,  better  standards,  and  the  NIST  cyber  framework. 

According  to  Paul  Rosenzweig  and  David  Inserra  of  The  Heritage  Foundation, 
sharing  cybersecurity  intelligence  information  between  the  private  and  public  sectors  is 
important  because  it  alerts  companies  and  agencies  to  likely  attacks  or  specific  problems 
in  the  software.  ^^3  jn  order  for  information-sharing  efforts  to  be  effective,  the 
government  should  organize  sharing  efforts  in  order  for  this  information  to  flow  more 
rapidly,  preferably  in  an  automated  fashion.  When  sharing  cyber  intelligence  information, 
the  private  sector  needs  to  be  provided  with  legal,  FOIA,  and  regulatory  protections  so 
they  are  not  punished  when  they  do  share.  Information  sharing  should  be  broad  enough  to 
ensure  that  government  agencies  have  the  actionable  intelligence  they  need  in  order  to 
prevent  cybercrime  and  attacks.  Finally,  information-sharing  must  have  robust,  but  not 
restrictive,  oversight  to  ensure  that  information  is  used  appropriately. 


David  Inserra  and  Paul  Rosenzweig,  Cybersecurity  Information  Sharing:  One  Step  Toward  U.S. 
Security,  Prosperity,  and  Freedom  in  Cyberspace  (Washington,  DC:  Heritage  Foundation,  April  1,  2014). 
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B,  OVERCOMING  TRUST  BARRIERS 

According  to  Sutton,  trust  is  something  that  develops  over  time.i^^  The 
beginnings  of  a  trusted  relationship  cannot  easily  be  developed  over  long  distances.  It  is 
through  personal  eontact  between  private  and  publie  sector  representatives  over  time 
when  trust  begins  to  develop.  Furthermore,  by  sharing  useful  information  between  part¬ 
ners,  trust  is  increased,  and  although  a  major  incident  is  not  a  thing  to  be  wished  for, 
when  one  happens  and  the  relationship  works  well  together,  the  level  of  trust  increases 
even  further. 

Another  way  in  which  trust  may  be  developed  is  through  regular  emergency 
exercises.  These  can  be  based  on  seenarios  likely  to  affect  public  and  private  sector  alike, 
and  ean  also  act  as  a  catalyst  to  find  innovative  ways  of  working  together  in  a  erisis. 

In  a  recent  survey  done  by  the  Ponemon  Institute,  the  question  was  asked  about 
what  is  the  best  way  to  exehange  threat  intelligenee.  Many  of  the  respondents 
suggested  that  a  trusted  intermediary  that  shares  with  other  organizations  was  the  best 
way  to  share.  Another  group  of  respondents  suggested  the  use  of  a  threat  intelligence 
exehange  service  would  be  a  good  way  to  share  cyber  threat  intelligence. 

In  an  ENISA  study  of  successful  public  private  partnerships,  one  reeommendation 
is  about  the  importanee  of  Trust  Building  Polieies.  The  ENISA  study  reports  that  in 
information-sharing  networks  where  information-sharing  is  the  core  service  provided,  a 
key  requirement  is  a  high  degree  of  trust  in  the  network  itself  (i.e.,  that  the  policies, 
membership  rules,  requirement  for  security  clearance,  and  interaction  type  must  have 
been  carefully  designed  to  support  trust.  1^6 

Trust  between  entities  need  not  be  whole  or  persistent.  Transient  trust  during  a 
moment  of  crisis  may  allow  for  a  piece  of  information  to  be  shared  between  two  entities 
that  would  have  not  otherwise  been  made  available  for  consumption.  A  sliding  trust  scale 

Sutton,  “The  Issue  of  Trust  and  Information  Sharing,”  258-276. 

155  Ponemon  Institute,  Exchanging  Cyber  Threat  Intelligence. 

“Cooperative  Models  for  Effective  Public  Private  Partnerships,”  ENISA,  accessed  February  15, 
2014,  http://www.enisa.europa.eu/activities/Resilience-and-CIIP/public-private-partnership/national- 
public-private-partnerships-ppps/copy_of_desktop-reserach-on-public-private-partnerships. 
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is  influenced  by  operational  need  and  quality  of  relationship.  It  must  be  incorporated  into 
a  sharing  network  for  information-sharing  relationships  that  change  over  time.  In  this 
case,  the  partner  you  don’t  trust  today  may  be  your  best  friend  tomorrow. 

Trust  relationships  must  span  the  different  engagement  levels:  from  the 
organizational  leadership  that  empower  their  staff  to  produce  and  consume  information  to 
the  technical  staff  that  ultimately  will  use  the  information.  Having  an  institutional  process 
for  guiding  these  types  of  relationships  is  central  to  the  success  of  an  organization  as  a 
whole  in  participating  in  information-sharing  networks.  To  support  these  processes, 
organizations  will  need  to  focus  on  the  trust  scale  while  leveraging  mechanisms  and  tools 
to  support  the  mapping  and  perception  of  these  relationships. 

Trust  relationships  are  affected  by  both  the  organizational  and  ethnic  cultures  of 
the  sharing  entities.  There  are  cultures  where  no  information-sharing  will  take  place  until 
a  maturity  point  is  reached  in  the  relationship.  Then  there  are  ethnic  cultures  where  a 
business  need  will  drive  information-sharing  even  though  the  relationship  has  not 
matured  enough  for  sustained  information-sharing  between  entities. 

According  to  the  Information  Sharing  Strategy  of  the  Intelligence  Community, 
confidence  in  the  information  and  confidence  in  the  people  who  has  access  to  the 
information  are  all  essential  elements  trust.  The  role  of  information  quality  of  an 
information-sharing  exchange  can  help  build  trust  and  mitigate  risk.i^^  One  way  to  do 
this  is  to  include  a  system  that  integrates  attribute-based  access,  automated  user 
authorization  and  auditing,  and  security  at  the  data-level  to  enable  a  trust-based  model  for 
the  free-flow  of  information  among  participants. 

The  findings  of  the  Ponemon  study  concluded  that  trusted  intermediaries  involved 
in  the  sharing  of  threat  intelligence  would  improve  current  approaches  to  sharing  threat 
intelligence.  The  best  two  ways  to  exchange  threat  intelligence  are  with  a  trusted 


Andreas  I.  Nicolaou  and  D.  Harrison  McKnight,  “Perceived  Information  Quality  in  Data 
Exchanges:  Effects  on  Risk,  Trust,  and  Intention  to  Use,”  Information  Systems  Research  17,  no.  4  (2006): 
332-351. 
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intermediary  that  shares  with  other  organizations  and  with  a  threat  intelligenee  exchange 
service.  They  found  that  it  is  not  as  popular  to  share  directly  with  other  organizations  or 
with  a  government  entity  that  share  with  other  organizations. 

C.  THE  LEGAL  DEBATE 

The  findings  revealed  that  the  legal  barriers  to  cybersecurity  information-sharing 
are  privacy,  antitrust,  liability,  and  protection  of  confidential  information.  The  following 
discussion  points  focus  around  these  findings. 

1.  Privacy 

Cybersecurity  information  shared  for  collaborative  purposes  might  be  used  by 
competitors  for  commercial  purposes,  including  such  cases  when  government  is  a 
customer  of  either  the  initial  company  or  a  competitor.  Government  should  initiate 
government-industry  agreements  that  enable  industry  to  share  information  that  is 
protected  and  aligned  with  other  industry-provided  information.  This  will  be  fused  in  a 
non- attributed  product  to  be  shared  with  other  participants.  The  agreement  incorporates 
specific  clauses  defining  the  protection  of  commercial  opportunities. 

In  a  research  paper,  Rachel  Nyswander  Thomas  of  the  Center  for  Strategic  and 
International  Studies  proposed  legislation  that  would  center  public-  and  private-sector 
cybersecurity  collaboration  onto  a  single  objective  such  as  research  and  development.  1^9 
She  proposes  “civic  switchboards,”  a  mechanism  for  connecting  resources  among 
organizations  that  requires  little  government  control.  Thomas  says  two  civic  switchboards 
would  be  necessary  to  improve  national  cybersecurity — a  government-controlled  one  for 
information-sharing  and  incident  response,  and  a  nonprofit  one  for  other  objectives,  such 
as  research  and  development,  technical  standard  setting  and  building  human  capital.  In 
some  cases,  the  government  civic  switchboard  would  act  as  an  intermediary  between 
existing  public-private  partnerships  and  in  others  foster  the  creation  of  new  ones,  she 
says.  Thomas  cites  the  Obama  administration’s  Startup  American  Partnership  as  an 


Rachel  Nyswander  Thomas,  Securing  Cyberspace  through  Public-Private  Partnership  A 
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example  of  a  eivic  switehboard-like  entity;  the  partnership  is  a  nonprofit  convened  at  the 
behest  of  the  Small  Business  Administration  that  seeks  to  promote  entrepreneurship. 

2,  Antitrust 

In  a  discussion  paper  by  Avishalom  Tor  and  Amitai  Aviram  titled  “Overcoming 
Impediments  to  Information  Sharing,”  an  assessment  of  the  competitive  effects  of 
information-sharing  among  competitors  is  provided  along  with  an  outcome  for  a 
framework  for  public  policy  and  antitrust  law  towards  cooperation.  jor  and  Aviram 
claim  that  the  behavioral  approach  to  antitrust  law  draws  on  a  large  body  of  empirical 
behavioral  evidence  to  inform  antitrust  doctrine  and  policymaking.  In  particular, 
behavioral  antitrust  focuses  on  findings  that  reveal  how  the  judgment  and  decision 
behaviors  of  actual  antitrust  actors  are  likely  to  systematically  and  predictably  deviate 
from  the  strict  rationality  that  antitrust  law  currently  assumes.  Perhaps  due  to  the 
dominance  in  antitrust  of  rationality-based  law  and  economics — from  the  field’s 
jurisprudence  and  enforcement  policies  to  its  legal  and  economic  scholarship — 
behavioral  findings  took  far  longer  to  gamer  broad  attention  in  antitmst  law  than  in  many 
other  legal  fields.  In  fact,  until  a  few  years  ago,  antitmst  discourse  largely  neglected  those 
behaviorally  informed  analyses  offered  by  a  small  number  of  legal  scholars. 

One  way  to  overcome  the  legal  barriers  is  through  education  and  clarity  about  the 
laws  that  are  currently  barriers  such  as  anti-tmst.  In  a  recent  document  by  the  Federal  Trade 
Commission  (FTC)  and  the  Department  of  Justice  (DOJ),  some  private  entities  may  be 
hesitant  to  share  cyber  threat  information  with  each  other  because  they  have  been  told  by 
their  legal  counsel  that  sharing  of  information  among  competitors  may  raise  antitrust 
concerns.  FTC  and  DOJ  do  not  believe  that  antitrust  is  a  real  barrier  to  cybersecurity 
information-sharing.  According  to  the  statement,  while  it  is  true  that  certain  information¬ 
sharing  agreements  among  competitors  can  raise  competitive  concerns,  the  sharing  of  the 
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cyber  threat  information  is  highly  unlikely  to  lead  to  a  reduction  in  competition  and, 
consequently,  would  not  be  likely  to  raise  antitrust  concerns. 

According  to  the  FTC  and  the  DOJ,  antitrust  guidelines,  business  review  letters,  and 
advisory  opinions  explain  the  analytical  framework  for  information-sharing  and  the 
competition  issues  that  may  arise  with  information  exchanges  generally.  1^3  primary 
concern  is  that  the  sharing  of  competitively  sensitive  information — such  as  recent,  current, 
and  future  prices,  cost  data,  or  output  levels — may  facilitate  price  or  other  competitive 
coordination  among  competitors.  The  joint  DOJ/FTC  Antitrust  Guidelines  for 
Collaborations  among  Competitors  provide  a  good  overview  of  how  the  Agencies 
analyze  information-sharing  as  a  general  matter.  1^4 

According  to  the  guidelines,  Sector  Specific  Agencies  should  coordinate  with  the 
Department  of  Justice  (DOJ)  Antitrust  Division  and  should  provide  annual  training  on 
aspects  of  antitrust  specifically  related  to  cybersecurity  efforts  and  antitrust  compliance 
so  that  government  and  industry  may  remain  educated  on  and  sensitive  to  methods  that 
can  mitigate  this  concern  and  ensure  antitrust  compliance, 

According  to  the  White  House,  the  announcement  by  the  Department  of  Justice 
and  the  Federal  Trade  Commission  that  clarifies  that  cybersecurity  information  can  be 
shared  with  competitors  without  violating  antitrust  law — long  a  perceived  barrier  to 
effective  cybersecurity  is  important.  These  enforcing  our  antitrust  laws,  have  made  clear 
today  that  they  do  not  believe  “that  antitrust  is — or  should  b — a  roadblock  to  legitimate 
cybersecurity  information-sharing. ”  i 

3,  Liability  and  Protection  of  Confidential  Information 

Private  industry  has  reservations  about  sharing  confidential  or  proprietary 
information  with  government  about  vulnerabilities  or  attacks  because  they  worry  that  the 
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information  could  be  released  to  the  publie  under  the  Freedom  of  Information  Aet 
(FOIA).  FOIA  permits  the  publie,  ineluding  industry,  and  the  media,  to  request  and 
receive  information  that  has  been  shared  within  and  to  the  government.  Under  eurrent  law 
that  information  would  also  be  available  through  FOIA  requests  to  foreign  citizens  and 
foreign  governments.  Industry  has  requested  that  an  exemption  to  FOIA  be  provided  for 
the  sharing  of  “sensitive  eorporate  seeurity”  information  with  government,  This  is  not 
a  unique  request  and  Congress  has  provided  exemption  in  at  least  60  different  instanees 
to  prevent  publie  diselosure  of  sensitive  information.!^^ 

Providing  trust  and  instilling  eonfidence  that  the  information  shared  will  be 
proteeted  is  a  significant  and  necessary  step  to  ensuring  that  a  two-way  flow  of 
information  ean  oecur  resulting  in  improved  infrastrueture  proteetion.  Most  organizations 
have  existing  proeesses  in  place  to  ensure  the  proteetion  of  privaey  and  eivil  liberties 
when  it  eomes  to  sharing  information  outside  of  their  organizations. 

D,  POLICY  IMPLEMENTATIONS 

1.  Overcoming  Liability  Concerns 

Future  polieies  need  to  enable  eyber  information-sharing  by  removing 
ambiguities,  providing  strong  proteetions  to  sharers,  and  establishing  a  publie-private 
partnership  to  faeilitate  sharing.  Entities  that  share  eyberseeurity  information  need  eertain 
proteetions. ! These  proteetions  inelude  exempting  all  shared  information  from  FOIA 
requests  and  regulatory  use,  and  providing  information  sharers  with  strong  liability 
protection. 

2,  Information  Sharing  Agreements 

Effective  information-sharing  requires  the  government  to  share  fully  and  in  a 
timely  manner  with  the  private  seetor  through  a  publie-private  partnership  established  for 
this  purpose.  An  Information  Sharing  Agreement  (ISA)  is  an  agreement  made  between 
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two  or  more  collaborating  organizations  which  describe  verification  and  compliance 
methodologies,  and  define  the  type  of  information  and  scope  of  sharing,  how  the 
information  will  be  used,  what  access  control  policies  are  being  used,  what  legal  or  policy 
frameworks  exist  for  compliance  of  the  information  such  as  retention, 

3,  Federal  Sharing  Policies 

Executive  Order  13636,  Improving  Critical  Infrastructure  Cybersecurity,  which 
was  signed  by  President  Obama  in  February  2013,  has  the  most  comprehensive  policy  for 
sharing  cybersecurity  information  between  private  sector  and  government.  It  directs 
Federal  agencies  to  use  their  existing  authorities  and  increase  cooperation  with  the  private 
sector  to  provide  better  protection  for  the  systems  that  are  critical  to  our  national  and 
economic  security, 

In  addition.  President  Obama  signed  the  Presidential  Policy  Directive  (PPD)-21, 
Critical  Infrastructure  Security  and  Resilience.  While  the  EO  establishes  a  number  of 
specific  programs  to  improve  cybersecurity,  it  does  so  under  the  overall  policy 
framework  set  out  by  PPD-21,  which  explains  the  President’s  commitment  to  partner 
with  owners  and  operators  to  secure  our  Nation’s  critical  infrastructure  against  threats. 

According  to  DHS,  the  EO,  and  PPD  updates  policy  from  a  primary  focus  on 
protecting  critical  infrastructure  against  terrorism  to  protecting,  securing,  and  making  the 
nation’s  critical  infrastructure  more  resilient  to  all  hazards,  including  natural  disasters, 
manmade  threats,  pandemics,  and  cyberattacks.  ^ ^2  Furthermore,  it  directs  the  executive 
branch  to  strengthen  our  capability  to  understand  and  efficiently  share  information  about 
how  well  critical  infrastructure  systems  are  functioning  and  the  consequences  of  potential 
failures. 

170  “Multinational  Experiment  7  Outcome  3 — Cyber  Domain  Objective  3.2  Information  Sharing 
Framework  22  January  2013,”  NATO,  accessed  September  15,  2014, 
http  ://csrc  nist.gov/cyberframework/rfi_comments/dodJ  s  J  7_part_2_0227 1 3  .pdf 
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Under  Executive  Order  13636,  NIST  has  produced  the  first  version  of  a  voluntary 
framework  for  reducing  cybersecurity  risk  to  critical  infrastructure,  which  includes  a 
methodology  for  protecting  individuals’  privacy  and  civil  liberties  during  the  conduct  of 
cybersecurity  activities.  Released  in  February  2014,  the  Framework  for  Improving 
Critical  Infrastructure  Cybersecurity  was  developed  by  collaborating  extensively  with 
critical  infrastructure  owners  and  operators,  industry  leaders,  government  partners,  and 
other  stakeholders.  The  accompanying  NIST  Roadmap  for  Improving  Critical 
Infrastructure  Cybersecurity  identified  the  need  for  more  privacy  technical  standards  to 
support  the  privacy  methodology. 

The  Roadmap  identifies  key  areas  of  development,  alignment,  and 
collaboration.  1^3  These  key  areas  include  authentication,  automated  indicator  sharing, 
conformity  assessment,  cybersecurity  workforce,  data  analytics,  alignment  with  the 
Federal  Information  Security  Management  Act  (FISMA),  international  impacts  and 
alignment,  supply  chain  risk  management,  and  technical  privacy  standards.  The 
automated  sharing  of  indicator  information  can  provide  organizations  with  timely, 
actionable  information  that  they  can  use  to  detect  and  respond  to  cybersecurity  events  as 
they  are  occurring.  Sharing  indicators  based  on  information  that  is  discovered  prior  to  and 
during  incident  response  activities  enables  other  organizations  to  deploy  measures  to 
detect,  mitigate,  and  possibly  prevent  attacks  as  they  occur.  i’74 

To  address  the  privacy  policy  gaps  that  were  identified  in  the  previous  chapter, 
NIST  has  held  a  two-day  workshop  in  April  to  work  through  technical  standards  gaps 
issues.  The  focus  was  to  advance  privacy  engineering  as  a  foundation  for  the 
identification  of  technical  standards  and  best  practices  that  could  be  developed  to  mitigate 
the  impact  of  cybersecurity  activities  on  individuals’  privacy  or  civil  liberties.  jhe 
objective  is  to  provide  a  standards-based  tool  along  with  privacy  engineering  practices 
that  will  help  to  evaluate  the  privacy  posture  of  existing  systems,  enable  the  creation  of 
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new  systems  that  mitigate  the  risk  of  privacy  harm  and  address  privacy  risks  in  a 
measurable  way  within  an  organization’s  overall  risk  management  process.  NIST  will 
engage  a  broad  community  of  stakeholders  to  facilitate  this  work.  The  outcome  of  the 
workshop  is  a  report  that  identifies  challenges  in  privacy  engineering,  and  proposes  a 
framework  for  understanding  privacy  risk  and  a  methodology  for  designing  privacy- 
enabled  systems  that  would  support  outcome-driven  privacy  design  and  engineering 
practices.  More  workshops  will  be  held  to  continue  this  body  of  work. 

E.  TECHNOLOGY 

1,  Enabling  Cybersecurity  Information  Sharing 

There  are  many  technologies  needed  to  enable  a  successful  cyber  information¬ 
sharing  capability.  These  technologies  may  include  user-facing  capabilities  such  as 
portals,  content  and  document  management,  collaboration,  and  content  discovery.  Other 
technologies  include  infrastructure  capabilities  such  as  service  oriented  architecture 
integration  services,  identity  control  and  access  management  (ICAM)  and  data  tagging, 
structured  languages  to  provide  common  formats  and  support  automated  data  exchange, 
and  cross  domain  solutions  to  enable  sharing  across  multiple  security  domains. 

The  Homeland  Security  Information  Network  (HSIN)  is  an  example  of  a 
successful  implementation  of  an  information-sharing  architecture.  HSIN  is  the  trusted 
network  for  homeland  security  mission  operations  to  share  Sensitive  but  unclassified 
(SBU)  information.  Federal,  state,  local,  tribal,  territorial,  international  and  private  sector 
homeland  security  partners  use  HSIN  to  manage  operations,  analyze  data,  send  alerts  and 
notices,  and  in  general,  share  the  information  they  need  to  do  their  jobs. 

The  National  Cyber  Protection  System  Information  Sharing  (NCPS-IS)  is  the 
platform  being  developed  by  DHS  for  cybersecurity  related  information-sharing  for 
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public  and  private  organizations.!^^  The  National  Cybersecurity  Protection  System 
(NCPS)  Program  is  an  integrated  system  of  Intrusion  Deteetion,  Intrusion  Prevention, 
analytieal,  and  information-sharing  capabilities  used  to  defend  the  Federal  Government’s 
information  teehnology  infrastructure  from  eyber  threats.  NCPS-IS  will  help  prevent 
eyber  incidents  from  oeeurring  through  improved  discovery  of,  dissemination  of,  and 
aceess  to  threat,  vulnerability,  and  mitigation  information.  It  will  help  reduee  the  time  to 
respond  to  incidents  through  improved  collaboration  and  coordination.  Further,  it  will 
provide  auditing  of  the  information  that  is  shared  to  ensure  quality  eontrol  and  foster 
inereased  information-sharing  through  inereased  transpareney  and  privacy  assurance.  The 
end  result  of  inereased  sharing  through  the  NCPS-IS  will  be  an  inerease  in  the 
understanding  of  the  entire  threat  to  U.S.  network  systems  and  a  eohesive  and 
eomprehensive  defensive  stanee  against  network  attaeks. 

2,  Data  Quality  and  Actionable  Intelligence 

Information  quality  is  the  degree  to  whieh  information  meets  the  needs  of  its 
users.  Sometimes  information  whieh  is  high  quality  for  one  user  is  low  quality  for 
another.  Further,  the  data  that  is  shared  must  be  aetionable.  In  an  Oetober  2013  report  on 
Threat  Intelligence,  Gartner  essentially  points  out  that  most  vendors  are  offering  Cyber 
Threat  information-not  eyber  threat  intelligenee  and  that  “only  a  comparative  few 
(vendors)... provide  true  intelligenee  eapabilities.”!^^  Gartner  defines  eyber  threat 
intelligenee  as  “Evidenee-based  knowledge,  ineluding  context,  mechanisms,  indicators, 
implications  and  actionable  advice  about  an  existing  or  emerging  menaee  or  hazard  to 
assets  that  ean  be  used  to  inform  deeisions  regarding  the  subjeet’s  response  to  that 
menaee  or  hazard.” 
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Cyber  threat  intelligence  needs  to  include  much  more  than  raw  data.  It  requires 
rich  contextual  information  that  can  only  be  created  with  the  application  of  human 
analysis.  This  contextual  information  includes  an  understanding  of  the  past,  present  and 
future  tactics,  techniques  and  procedures  (TTPs)  of  a  wide  variety  of  adversaries.  It  must 
also  include  the  linkage  between  the  technical  indicators  (e.g.,  IP  addresses  and  domains 
associated  with  threats  or  hashes  that  “fingerprint”  malicious  files),  adversaries,  their 
motivations  and  intents,  and  information  about  who  is  being  targeted.  It  also  involves  the 
identification  and  ongoing  monitoring  of  threat  actors  and  integration  with  analysts  to 
develop  the  finished  intelligence. 

Organizations  need  to  merge  intelligence  that  is  gathered  through  human  analysis 
with  technical  intelligence.  This  will  provide  the  rich,  accurate  and  actionable 
intelligence  that  can  inform  decision  makers.  The  technical  intelligence  can  include  such 
things  as  open-source  data,  indicators  scraped  from  the  underground  and  analysis  of 
various  malware  toolkits,  system  log  data,  and  information  shared  from  industry  groups 
or  other  sharing  partners. 

3.  Cyber  Standards 

For  cybersecurity  information  to  be  of  high  quality  for  an  organization  to  take 
action  on  it,  the  information  must  be  accessible,  complete,  accurate,  relevant,  coherent 
and  valid.  Furthermore,  it  must  be  in  a  format  that  can  be  understood  by  a  person  or  be 
machine  readable  by  a  system.  In  order  to  address  the  machine  readable  format,  the 
recent  development  of  cyber  threat  sharing  standards  such  as  Structured  Threat 
Information  expression  (STIX)  and  Incident  Object  Definition  (lODEF)  as  well  as 
Mandiant’s  OpenlOC  (Indicators  of  Compromise)  will  enable  application  developers  to 
utilize  these  standards  to  enable  sharing. 

According  to  Verizon,  one  must  rely  on  evidence  as  for  any  investigation, 
Some  of  the  most  important  evidence  is  through  gathering  indicators  of  compromise 
(lOCs).  IOC’s  are  identifiable  events  and  artifacts  that  suggest  a  security  incident 
occurred.  Consistently  collecting  and  maintaining  the  right  data  sources  provides  an 
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organization  with  a  resource  from  which  to  mine  for  lOCs,  and  a  basic  foundation  for  a 
stronger  investigation. 

The  problem  with  these  standards  is  that  there  may  be  political  barriers  to  which 
are  the  best  standards  to  be  using  for  information-sharing.  CNCI-5  has  provided  the 
funding  for  the  development  of  Mitre’s  Structured  Threat  Information  expression  (STIX) 
and  is  the  main  format  of  how  the  cyber  operation  centers  are  sharing  information.  The 
problem  with  the  use  of  STIX  as  the  standard  to  use  for  sharing  cyber  threat  information 
is  that  if  other  organizations-for  example  international  centers-want  to  share  with  federal 
centers  and  they  do  not  use  STIX,  it  will  be  hard  to  share. 

F,  THE  ROLE  OF  THE  INFORMATION  SHARING  AND  ANALYSIS 

CENTERS 

In  1996,  the  Clinton  administration  created  the  President’s  Commission  on 
Critical  Infrastructure  Protection  (PCCIP)  to  study  the  U.S.  critical  infrastructures, 
determine  vulnerabilities  and  propose  a  strategy  to  protect  the  nation.  A  key  finding  of 
the  PCCIP  in  its  1997  report  examining  the  vulnerabilities  in  the  critical  infrastructures  is 
the  need  for  information-sharing  through  a  public-private  partnership  to  better  prepare  to 
combat  cyber  threats.  Building  on  the  recommendations  of  the  PCCIP,  the  Clinton 
Administration  issued  Presidential  Decision  Directive  63  (PDD  63)  in  May  1998  as  the 
centerpiece  of  the  Administration’s  policy  on  Critical  Infrastructure  Protection.  This 
policy  defined  the  United  States  critical  infrastructure,  as  ‘those  physical  and  cyber-based 
systems  essential  to  the  minimum  operations  of  the  economy  and  government.  PDD  63 
further  defined  these  systems  into  six  initial  areas;  telecommunications,  energy,  banking 
and  finance,  transportation,  water  systems  and  emergency  services,  both  government  and 
private.  PDD  63  recognized  the  important  role  of  the  private  sector  as  the  owners  and 
operators  of  nearly  all  elements  of  the  critical  infrastructure  in  protecting  the  nation’s 
cyber  well-being  set  to  developing  partnerships  with  industry  to  improve  information¬ 
sharing  on  vulnerabilities  in  networked  systems,  best  practices  and  incidents  as  a  means 
to  reduce  the  potential  threats  that  existed  at  that  time.  To  facilitate  this  information- 
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sharing,  PDD  63  charged  the  National  Coordinator  for  Seeurity,  Infrastrueture  Protection 
and  Counter-Terrorism  to  eneourage  the  creation  of  private-sector  Information  Sharing 
and  Analysis  Centers  (ISACs)  comprised  of  the  seetors  of  the  critical  infrastructure. 
Federal  Agencies  were  designated  as  Sector  Liaisons  with  related  industry  ISACs  to 
assist  with  problems  related  to  their  sector.  The  ISACs  enable  industry  within  a  speeific 
sector  to  share  information  on  threats,  vulnerabilities,  and  information  about  an  attaek. 
This  allows  the  flow  of  information  between  the  public  and  private  sector  on  threats  and 
vulnerabilities,  therefore  accelerating  response.  PDD-63  was  updated  in  2003  with 
Homeland  Seeurity  Presidential  Direetive/HSPD-7  to  reaffirm  the  partnership  mission 
better  proteeting  our  critieal  infrastructures  and  to  help  minimize  vulnerabilities;  the  DHS 
established  ISAC’s  to  allow  eritieal  sectors  to  share  information  and  work  together  to 
help  better  protect  the  economy. 

Today  there  are  18  ISACs  for  eritieal  infrastructure.  Of  all  of  the  ISACs,  one 
stands  out  among  the  rest  when  it  comes  to  a  suceessful  approaeh  to  cyber  information¬ 
sharing.  That  ISAC  is  the  Finaneial  Services  Information  Sharing  and  Analysis  Center 
(FS-ISAC).  The  FS-ISAC  was  established  by  the  financial  services  sector  in  response  to 
1998’s  PDD-63  and  eo-ordinates  seeurity  collaboration  among  banks.  1^2  FS-ISAC  is 
a  not-for-profit  organization  formed  to  serve  the  needs  of  the  finaneial  services  industry 
for  the  dissemination  of  physical  and  cybersecurity,  threat,  vulnerability,  incident,  and 
solution  information.  Later,  Homeland  Seeurity  Presidential  Directive-7  updated  the 
directive.  1^3  update  mandates  that  the  public  and  private  seetors  share  information 
about  physical  and  cybersecurity  threats  and  vulnerabilities  to  help  protect  U.S.  critical 
infrastructure. 

Another  ISAC  that  is  emerging  as  a  leader  in  cyber  information-sharing  is  the 
COMMs  ISAC.  The  COMMs  ISAC’s  mission  is  to  faeilitate  voluntary  collaboration  and 
information-sharing  among  Government  and  industry  in  support  of  Exeeutive  Order 

1^2  Antone  Gonsalves,  “How  Retailers  can  Boost  Security  through  Information  Sharing,”  CXO  Media, 
accessed  August  21,  2014,  http://www.csoonline.eom/article/2156060/data-protection/how-retailers-can- 
boost-security-through-information-sharing.html. 

183  Lech  Janezewski  and  Andrew  M.  Colarik,  Cyber  Warfare  and  Cyber  Terrorism  (Hershey,  PA:  IGI 
Global,  2008). 
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12472  and  the  national  critical  infrastructure  protection  goals  of  Presidential  Decision 
Directive  63  (PDD-63);  to  gather  information  on  vulnerabilities,  threats,  intrusions,  and 
anomalies  from  multiple  sources;  and  to  perform  analysis  with  the  goal  of  averting  or 
mitigating  impact  on  the  telecommunications  infrastructure 4 

G.  NIST  CYBER  FRAMEWORK  AS  A  WAY  FORWARD 

Since  Executive  Order  13636  was  issued,  NIST  has  played  a  convening  role  in 
developing  the  Framework,  drawing  heavily  on  standards,  guidelines,  and  best  practices 
already  available  to  address  key  cybersecurity  needs.  NIST  also  relied  on  organizations 
and  individuals  with  experience  in  reducing  cybersecurity  risk  and  managing  critical 
infrastructure.  Organizations  that  are  part  of  the  critical  infrastructure  can  use  the 
Framework  to  better  manage  and  reduce  its  cybersecurity  risks. 

Not  all  critical  infrastructure  organizations  have  a  mature  program  and  the 
technical  expertise  in  place  to  identify,  assess,  and  reduce  cybersecurity  risk.  Many  have 
not  had  the  resources  to  keep  up  with  the  latest  cybersecurity  advances  and  challenges  as 
they  balance  risks  to  their  organizations.  NIST  intends  for  the  Framework  to  be  a  basic, 
flexible,  and  adaptable  tool  for  managing  and  reducing  cybersecurity  risks.  It  is  intended 
to  be  a  living  document  and  will  continue  to  be  updated  and  improved  as  industry 
provides  feedback  on  implementation.  As  the  Framework  is  put  into  practice,  lessons 
learned  will  be  integrated  into  future  versions.  This  will  ensure  it  is  meeting  the  needs  of 
critical  infrastructure  owners  and  operators  in  a  dynamic  and  challenging  environment  of 
new  threats,  risks,  and  solutions.  NIST  will  also  hold  one  or  more  workshops  and  focused 
meetings  on  specific  areas  for  development,  alignment,  and  collaboration. 

The  NIST  Cybersecurity  Framework  is  just  a  piece  of  the  puzzle  in  the  evolution 
of  cybersecurity,  one  in  which  the  balance  is  shifting  to  proactive  risk-management 
standards.  While  the  Framework  is  voluntary,  organizations  across  industries  may  gain 
significant  benefits  by  adopting  the  guidelines.  According  to  Price  Waterhouse  Coopers, 
for  most  organizations,  whether  they  are  owners,  operators,  or  suppliers  for  critical 

“National  Cyber  Incident  Response  Plan,”  Department  of  Homeland  Security,  accessed  September 
15,  2014,  http://www.federalnewsradio.eom/pdfs/NCIRP_Interim_Version_September_2010.pdf 
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infrastructure,  the  NIST  Cybersecurity  Framework  may  be  well  worth  adopting  solely  for 
its  stated  goal  of  improving  risk-based  security.  1^5  it  also  can  deliver  ancillary 
benefits  that  include  effective  collaboration  and  communication  of  security  posture  with 
exeeutives  and  industry  organizations,  as  well  as  potential  future  improvements  in  legal 
exposure  and  even  assistanee  with  regulatory  compliance. 

A  guiding  principle  of  the  Framework  is  collaboration  to  share  information  and 
improve  cybersecurity  practices  and  threat  intelligence.  A  recent  report  by  Priee 
Waterhouse  Coopers  (PwC),  shows  that  companies  with  highly  effective  seeurity 
praetiees  make  it  a  point  to  collaborate  with  others  to  advanee  security  and  threat 
awareness.  One  of  the  most  effeetive  collaboration  methods  is  participation  in 
Information  Sharing  and  Analysis  Centers  (ISACs),  which  have  gained  traetion  in 
security-forward  industries  like  finaneial  services.  PwC  recommends  that  organizations 
actively  participate  in  ISACs  appropriate  to  their  industry, 

Aceording  to  Deloitte,  even  though  adoption  of  NIST’s  cyberseeurity  framework 
for  eritical  infrastructure  providers  is  currently  voluntary,  CIOs  who  opt  to  apply  it  to 
enterprise  risk  management  practices  may  improve  their  ability  to  ealibrate  not  just  their 
organizations’  eyber  risk,  but  also  business  risk  more  broadly,  while  more  effieiently 
alloeating  the  information  security  budget, 

The  Framework  means  little,  if  it  doesn’t  get  adopted  by  industry  though.  In  a 
reeent  report  from  the  Mereatus  Center  at  George  Mason  University,  the  authors  elaim 
that  the  Cyberseeurity  Framework  threatens  to  undermine  this  largely  functioning  system 
by  imposing  a  brittle,  teehnoeratic  standard  that  benefits  specifie  interests  and  diminishes 
the  incentives  for  cyberseeurity  innovation.  188  Further,  they  argue  that  instead  of  a 


185  PricewaterhouseCoopers,  Why  You  Should  Adopt  the  NIST  Cyberseeurity  Framework  (London: 
PricewaterhouseCoopers,  May  2014)  http://www.pwc.com/en_US/us/increasing-it- 
effectiveness/publications/assets/adopt-the-nist.pdf. 

186  Ibid. 

187  Deloitte,  “NIST  Cyber  Security  Framework:  4  Steps  for  CIOs,”  Wall  Street  Journal,  January  14, 
2014,  http://deloitte.wsj.eom/cio/20I4/0I/I4/nist-cyber-security-framework-4-steps-cios-can-take-now/. 

188  Eli  Dourado  and  Andrea  Castillo,  Why  the  Cyberseeurity  Framework  Will  Make  Us  Less  Secure 
(Fairfax,  VA:  Mereatus  Center  at  George  Mason  University,  2014). 
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government-driven,  teehnoeratie  solution,  eyberseeurity  insuranee  is  an  attraetive 
solution  to  the  problem  of  eritieal  infrastrueture  proteetion.  Insuranee  eoverage  ean  be 
flexible  and  tailored  to  speeifie  needs  and  would  ineentivize  firms  to  eonsistently 
improve  their  internal  eyberseeurity  so  as  to  keep  premiums  manageable.  The  problem 
they  reeognize  is  that  the  insurance  market  is  still  underdeveloped. 

Critical  Infrastructure  owners  and  operators  must  weigh  eyberseeurity  costs  and 
benefits  against  other  business  and  operational  requirements,  on  the  basis  of  their 
particular  market  environment,  and  within  existing  fiscal  or  operational  regulatory 
boundaries.  To  address  the  concerns  of  adoption,  the  DHS  Integrated  Task  Force  (ITF) 
performed  a  study  to  recommend  a  set  of  incentives  designed  to  promote  adoption  of  the 
Cybersecurity  Framework,  evaluate  the  benefits  and  relative  effectiveness  of  each  of  the 
incentives  in  promoting  adoption  of  the  Framework,  and  to  determine  which  of  the 
incentives  require  legislation  and  which  can  be  provided  under  existing  laws.^^*’  There 
are  14  broad  categories  of  incentives  to  include  things  such  as  expedited  security 
clearance  processes,  grants  insurance,  and  tax  incentives.  For  Information  Sharing, 
incentives  were  identified  for  ensuring  that  framework  owners  and  operators  are 
informed  of  relevant  real-time  cyber  threat  information.  For  liability  considerations, 
reduced  liability  in  exchange  for  improved  eyberseeurity  or  increased  liability  for  the 
consequences  of  poor  security  were  identified. 

As  the  Framework  is  in  the  beginning  stages  for  implementation  and  adoption, 
there  is  more  work  that  needs  to  be  done.  Success  of  the  Framework  along  with  many  of 
these  incentives  is  dependent  on  compliance  with  the  identified  eyberseeurity  standards 
and  practices  and  the  adoption  of  new  technologies,  processes,  and  procedures.  There  is 
much  more  work  that  can  be  studied  in  this  area. 


189  “Cybersecurity  Incentives  Material,”  Department  of  Homeland  Security,  accessed  August  21, 
2014,  http://www.amwa  net/galleries/default-file/CybersecurityIncentivesMaterial.pdf 

DHS,  Incentives  Study  Analytic  Report. 
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H,  CONCLUSION 


Three  major  eonelusions  ean  be  made  from  this  study.  The  first  eonelusion  is  that 
the  exehange  of  eyberseeurity  information  is  eritieal  in  order  to  help  organizations 
mitigate  the  seeurity  threats  they  faee.  With  more  and  more  sophistieated  eyber  eriminals 
it  is  diffieult,  eostly  and  ineffeetive  to  fight  online  attaeks  alone.  Having  the  ability  to 
eonnect  and  share  information  about  existing  and  emerging  threats  eould  measurably 
improve  an  organization’s  cyber  defenses. 

Second,  many  organizations  are  either  fully  or  partially  participating  in  the 
exchange  of  cyber  threat  intelligence.  However,  there  is  much  that  needs  to  be  done  to 
improve  collaboration  and  benefit  from  information  that  identifies  patterns  and  trends 
that  reveal  ongoing  attacks  and  future  hazards.  According  to  The  White  House,  the  goal 
is  for  the  government  to  be  a  reliable  information-sharing  partner,  but  only  one  of  many. 
Companies  that  are  targeted  by  criminals  and  nation  state  actors  should  establish 
information-sharing  channels  with  the  National  Cybersecurity  &  Communications 
Integration  Center  at  the  Department  of  Homeland  Security,  law  enforcement  agencies 
such  as  the  FBI  and  Secret  Service,  and  with  other  relevant  agencies;  however,  they 
should  also  build  information-sharing  relationships  with  private  sector  partners  and 

organizations.  191 

Finally,  sharing  should  be  voluntary,  in  order  to  encourage  true  cooperation. 
Voluntary  sharing  allows  organizations  with  privacy  concerns  to  avoid  sharing  their 
information,  while  still  receiving  the  information  they  need  from  the  government.  Strong 
liability  protection  is  critical  for  those  companies  who  share  information  and  must  be 
provided  if  a  company  is  going  to  share  with  the  government.  The  information  shared  by 
the  private  sector  must  be  exempt  from  Freedom  of  Information  Act  (FOIA)  requests.  If 
shared  information  is  exempted  from  FOIA  and  regulatory  use,  a  company  can  share 
important  data  without  fear  that  its  competitive  advantages  will  be  lost  to  other  firms  or 
used  by  regulators  to  impose  more  rules  or  costs. 


191  Daniel,  “Getting  Serious  about  Information  Sharing  for  Cybersecurity.” 
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Lastly,  the  government  must  share  information  with  the  private  seetor  mueh  more 
than  it  eurrently  does  in  order  to  build  trust  by  the  private  seetor.  President  Obama’s 
exeeutive  order  13636  and  the  NIST  Cyberseeurity  Framework  is  a  step  in  the  right 
direction,  but  more  must  be  done.  With  the  evolution  of  the  technical  standards  such  as 
STIX  and  TAXII,  we  must  further  the  development  efforts  in  the  automation  of  cyber 
information-sharing  in  order  to  get  actionable  intelligence  shared  at  net-speed.  Finally, 
with  the  development  of  the  DHS  NCPS-IS,  the  nation’s  cyber  enterprise  posture  will 
have  increased  situational  awareness  through  the  sharing  of  cyber  status  and  cyber  risk 
among  public  and  private  participants. 
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APPENDIX.  NVIVO  SOURCE  SUMMARY 


The  following  repoit  generated  from  the  NVivo  software  tool  provides  a  list  of 
soiuces  that  were  used  as  research  material  for  this  thesis; 
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